1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
1001
1002
1003
1004
1005
1006
1007
1008
1009
1010
1011
1012
1013
1014
1015
1016
1017
1018
1019
1020
1021
1022
1023
1024
1025
1026
1027
1028
1029
1030
1031
1032
1033
1034
1035
1036
1037
1038
1039
1040
1041
1042
1043
1044
1045
1046
1047
1048
1049
1050
1051
1052
1053
1054
1055
1056
1057
1058
1059
1060
1061
1062
1063
1064
1065
1066
1067
1068
1069
1070
1071
1072
1073
1074
1075
1076
1077
1078
1079
1080
1081
1082
1083
1084
1085
1086
1087
1088
1089
1090
1091
1092
1093
1094
1095
1096
1097
1098
1099
1100
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122
1123
1124
1125
1126
1127
1128
1129
1130
1131
1132
1133
1134
1135
1136
1137
1138
1139
1140
1141
1142
1143
1144
1145
1146
1147
1148
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178
1179
1180
1181
1182
1183
1184
1185
1186
1187
1188
1189
1190
1191
1192
1193
1194
1195
1196
1197
1198
1199
1200
1201
1202
1203
1204
1205
1206
1207
1208
1209
1210
1211
1212
1213
1214
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234
1235
1236
1237
1238
1239
1240
1241
1242
1243
1244
1245
1246
1247
1248
1249
1250
1251
1252
1253
1254
1255
1256
1257
1258
1259
1260
1261
1262
1263
1264
1265
1266
1267
1268
1269
1270
1271
1272
1273
1274
1275
1276
1277
1278
1279
1280
1281
1282
1283
1284
1285
1286
1287
1288
1289
1290
1291
1292
1293
1294
1295
1296
1297
1298
1299
1300
1301
1302
1303
1304
1305
1306
1307
1308
1309
1310
1311
1312
1313
1314
1315
1316
1317
1318
1319
1320
1321
1322
1323
1324
1325
1326
1327
1328
1329
1330
1331
1332
1333
1334
1335
1336
1337
1338
1339
1340
1341
1342
1343
1344
1345
1346
1347
1348
1349
1350
1351
1352
1353
1354
1355
1356
1357
1358
1359
1360
1361
1362
1363
1364
1365
1366
1367
1368
1369
1370
1371
1372
1373
1374
1375
1376
1377
1378
1379
1380
1381
1382
1383
1384
1385
1386
1387
1388
1389
1390
1391
1392
1393
1394
1395
1396
1397
1398
1399
1400
1401
1402
1403
1404
1405
1406
1407
1408
1409
1410
1411
1412
1413
1414
1415
1416
1417
1418
1419
1420
1421
1422
1423
1424
1425
1426
1427
1428
1429
1430
1431
1432
1433
1434
1435
1436
1437
1438
1439
1440
1441
1442
1443
1444
1445
1446
1447
1448
1449
1450
1451
1452
1453
1454
1455
1456
1457
1458
1459
1460
1461
1462
1463
1464
1465
1466
1467
1468
1469
1470
1471
1472
1473
1474
1475
1476
1477
1478
1479
1480
1481
1482
1483
1484
1485
1486
1487
1488
1489
1490
1491
1492
1493
1494
1495
1496
1497
1498
1499
1500
1501
1502
1503
1504
1505
1506
1507
1508
1509
1510
1511
1512
1513
1514
1515
1516
1517
1518
1519
1520
1521
1522
1523
1524
1525
1526
1527
1528
1529
1530
1531
1532
1533
1534
1535
1536
1537
1538
1539
1540
1541
1542
1543
1544
1545
1546
1547
1548
1549
1550
1551
1552
1553
1554
1555
1556
1557
1558
1559
1560
1561
1562
1563
1564
1565
1566
1567
1568
1569
1570
1571
1572
1573
1574
1575
1576
1577
1578
1579
1580
1581
1582
1583
1584
1585
1586
1587
1588
1589
1590
1591
1592
1593
1594
1595
1596
1597
1598
1599
1600
1601
1602
1603
1604
1605
1606
1607
1608
1609
1610
1611
1612
1613
1614
1615
1616
1617
1618
1619
1620
1621
1622
1623
1624
1625
1626
1627
1628
1629
1630
1631
1632
1633
1634
1635
1636
1637
1638
1639
1640
1641
1642
1643
1644
1645
1646
1647
1648
1649
1650
1651
1652
1653
1654
1655
1656
1657
1658
1659
1660
1661
1662
1663
1664
1665
1666
1667
1668
1669
1670
1671
1672
1673
1674
1675
1676
1677
1678
1679
1680
1681
1682
1683
1684
1685
1686
1687
1688
1689
1690
1691
1692
1693
1694
1695
1696
1697
1698
1699
1700
1701
1702
1703
1704
1705
1706
1707
1708
1709
1710
1711
1712
1713
1714
1715
1716
1717
1718
1719
1720
1721
1722
1723
1724
1725
1726
1727
1728
1729
1730
1731
1732
1733
1734
1735
1736
1737
1738
1739
1740
1741
1742
1743
1744
1745
1746
1747
1748
1749
1750
1751
1752
1753
1754
1755
1756
1757
1758
1759
1760
1761
1762
1763
1764
1765
1766
1767
1768
1769
1770
1771
1772
1773
1774
1775
1776
1777
1778
1779
1780
1781
1782
1783
1784
1785
1786
1787
1788
1789
|
<pre>Network Working Group J. Bound
Request for Comments: 4852 Y. Pouffary
Category: Informational Hewlett-Packard
S. Klynsma
MITRE
T. Chown
University of Southampton
D. Green
Command Information
April 2007
<span class="h1">IPv6 Enterprise Network Analysis - IP Layer 3 Focus</span>
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2007).
Abstract
This document analyzes the transition to IPv6 in enterprise networks
focusing on IP Layer 3. These networks are characterized as having
multiple internal links and one or more router connections to one or
more Providers, and as being managed by a network operations entity.
The analysis focuses on a base set of transition notational networks
and requirements expanded from a previous document on enterprise
scenarios. Discussion is provided on a focused set of transition
analysis required for the enterprise to transition to IPv6, assuming
a Dual-IP layer (IPv4 and IPv6) network and node environment within
the enterprise. Then, a set of transition mechanisms are recommended
for each notational network.
<span class="grey">Bound, et al. Informational [Page 1]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
Table of Contents
<a href="#section-1">1</a>. Introduction ....................................................<a href="#page-3">3</a>
<a href="#section-2">2</a>. Terminology .....................................................<a href="#page-5">5</a>
<a href="#section-3">3</a>. Enterprise Matrix Analysis for Transition .......................<a href="#page-5">5</a>
<a href="#section-4">4</a>. Wide-Scale Dual-Stack Deployment Analysis ......................<a href="#page-10">10</a>
<a href="#section-4.1">4.1</a>. Staged Dual-Stack Deployment ..............................<a href="#page-10">10</a>
<a href="#section-4.2">4.2</a>. Routing Capability Analysis for Dual-IP Deployment ........<a href="#page-11">11</a>
<a href="#section-4.2.1">4.2.1</a>. IPv6 Routing Capability ............................<a href="#page-11">11</a>
<a href="#section-4.2.2">4.2.2</a>. IPv6 Routing Non-Capability ........................<a href="#page-11">11</a>
<a href="#section-4.2.2.1">4.2.2.1</a>. Tunnel IPv6 over the IPv4 infrastructure ..12
<a href="#section-4.2.2.2">4.2.2.2</a>. Deploy a Parallel IPv6 Infrastructure .....<a href="#page-12">12</a>
<a href="#section-4.3">4.3</a>. Remote IPv6 Access to the Enterprise ......................<a href="#page-12">12</a>
<a href="#section-4.4">4.4</a>. Other Considerations ......................................<a href="#page-13">13</a>
<a href="#section-5">5</a>. Sparse Dual-Stack Deployment Analysis ..........................<a href="#page-13">13</a>
<a href="#section-5.1">5.1</a>. Internal versus External Tunnel Endpoint ..................<a href="#page-13">13</a>
<a href="#section-5.2">5.2</a>. Manual versus Autoconfigured ..............................<a href="#page-14">14</a>
<a href="#section-6">6</a>. IPv6-Dominant Network Deployment Analysis ......................<a href="#page-14">14</a>
<a href="#section-7">7</a>. General Issues from Analysis ...................................<a href="#page-15">15</a>
<a href="#section-7.1">7.1</a>. Staged Plan for IPv6 Deployment ...........................<a href="#page-15">15</a>
<a href="#section-7.2">7.2</a>. Network Infrastructure Requirements .......................<a href="#page-15">15</a>
<a href="#section-7.3">7.3</a>. Stage 1: Initial Connectivity Steps .......................<a href="#page-15">15</a>
<a href="#section-7.3.1">7.3.1</a>. Obtaining External Connectivity ....................<a href="#page-16">16</a>
<a href="#section-7.3.2">7.3.2</a>. Obtaining Global IPv6 Address Space ................<a href="#page-16">16</a>
<a href="#section-7.4">7.4</a>. Stage 2: Deploying Generic Basic Service Components .......<a href="#page-16">16</a>
<a href="#section-7.4.1">7.4.1</a>. Developing an IPv6 Addressing Plan .................<a href="#page-16">16</a>
<a href="#section-7.4.2">7.4.2</a>. IPv6 DNS ...........................................<a href="#page-17">17</a>
<a href="#section-7.4.3">7.4.3</a>. IPv6 Routing .......................................<a href="#page-17">17</a>
<a href="#section-7.4.4">7.4.4</a>. Configuration of Hosts .............................<a href="#page-18">18</a>
<a href="#section-7.4.5">7.4.5</a>. Security ...........................................<a href="#page-18">18</a>
<a href="#section-7.5">7.5</a>. Stage 3: Widespread Dual-Stack Deployment On-Site .........<a href="#page-19">19</a>
<a href="#section-8">8</a>. Applicable Transition Mechanisms ...............................<a href="#page-20">20</a>
<a href="#section-8.1">8.1</a>. Recognizing Incompatible Network Touchpoints ..............<a href="#page-20">20</a>
<a href="#section-8.2">8.2</a>. Recognizing Application Incompatibilities .................<a href="#page-21">21</a>
<a href="#section-8.3">8.3</a>. Using Multiple Mechanisms to Support IPv6 Transition ......<a href="#page-22">22</a>
<a href="#section-9">9</a>. Security Considerations ........................................<a href="#page-22">22</a>
<a href="#section-10">10</a>. References ....................................................<a href="#page-22">22</a>
<a href="#section-10.1">10.1</a>. Normative References .....................................<a href="#page-22">22</a>
<a href="#section-10.2">10.2</a>. Informative References ...................................<a href="#page-24">24</a>
<a href="#section-11">11</a>. Acknowledgments ...............................................<a href="#page-25">25</a>
<a href="#appendix-A">Appendix A</a>. Crisis Management Network Scenarios ...................<a href="#page-26">26</a>
<a href="#appendix-A.1">A.1</a>. Introduction ..............................................<a href="#page-26">26</a>
A.2. Scenarios for IPv6 Deployment in Crisis Management
Networks ..................................................<a href="#page-26">26</a>
<a href="#appendix-A.3">A.3</a>. Description of a Generic Crisis Management Network ........<a href="#page-28">28</a>
<a href="#appendix-A.4">A.4</a>. Stages of IPv6 Deployment .................................<a href="#page-29">29</a>
<span class="grey">Bound, et al. Informational [Page 2]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
<span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span>
This document analyzes the transition to IPv6 in enterprise networks
focusing on IP Layer 3. These networks are characterized as having
multiple internal links, and one or more router connections to one or
more Providers, and as being managed by a network operations entity.
The analysis focuses on a base set of transition notational networks
and requirements expanded from a previous document on enterprise
scenarios. Discussion is provided on a focused set of transition
analysis required for the enterprise to transition to IPv6, assuming
a Dual-IP layer (IPv4 and IPv6) network and node environment within
the enterprise. Then, a set of transition mechanisms are recommended
for each notational network.
The audience for this document is the enterprise network team
considering deployment of IPv6. The document will be useful for
enterprise teams that have to determine the IPv6 transition strategy
for their enterprise. It is expected that those teams include
members from management, network operations, and engineering. The
analysis and notational networks presented provide an example set of
cases the enterprise can use to build an IPv6 transition strategy.
The enterprise analysis begins by describing a matrix as a tool to be
used to portray the different IPv4 and IPv6 possibilities for
deployment. The document will then provide analysis to support
enterprise-wide Dual-IP layer deployment strategy, to provide the
reader with a view of how that can be planned and what options are
available. The document then discusses the deployment of sparse IPv6
nodes within the enterprise and the requirements that need to be
considered and implemented when the enterprise remains with an IPv4-
only routing infrastructure for some time. The next discussion
focuses on the use of IPv6 when it is determined to be dominant
across or within parts of the enterprise network.
The document then discusses the general issues and applicability from
the previous analysis. The document concludes by providing a set of
current transition mechanism recommendations for the notational
network scenarios to support an enterprise that is planning to deploy
IPv6.
As stated, this document focuses only on the deployment cases where a
Dual-IP Layer 3 is supported across the network and on the nodes in
the enterprise. Additional deployment transition analysis will be
required from the effects of an IPv6-only node or Provider
deployments, and is beyond the scope of this document. In addition,
this document does not attempt to define or discuss any use with
network address translation [<a href="#ref-NATPT" title=""Network Address Translation - Protocol Translation (NAT-PT)"">NATPT</a>] or Provider Independent address
space.
<span class="grey">Bound, et al. Informational [Page 3]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
The following specific topics are currently out of scope for this
document:
- Multihoming
- Application transition/porting (see [<a href="#ref-APPS" title=""Application Aspects of IPv6 Transition"">APPS</a>]).
- IPv6 VPN, firewall, or intrusion detection deployment.
- IPv6 network management and QoS deployment.
- Detailed IT Department requirements.
- Deployment of novel IPv6 services, e.g., Mobile IPv6.
- Requirements or Transition at the Providers' network.
- Transport protocol selection for applications with IPv6.
- Application layer and configuration issues.
- IPv6 only future deployment scenarios.
This document focuses on IP Layer 3 deployment in the same way as the
other IPv6 deployment analysis works have done [<a href="#ref-UMAN" title=""Evaluation of IPv6 Transition Mechanisms for Unmanaged Networks"">UMAN</a>] [<a href="#ref-ISPA" title=""Scenarios and Analysis for Introducing IPv6 into ISP Networks"">ISPA</a>] [<a href="#ref-3GPA" title=""Analysis on IPv6 Transition in Third Generation Partnership Project (3GPP) Networks"">3GPA</a>].
This document covers deployment of IPv6 "on the wire", including
address management and DNS services.
We are also assuming that the enterprise deployment is being
undertaken by the network administration team, i.e., this document
does not discuss the case of an individual user gaining IPv6
connectivity (to some external IPv6 provider) from within an
enterprise network. Much of the analysis is applicable to wireless
networks, but there are additional considerations for wireless
networks not contained within this document.
In <a href="#section-2">Section 2</a>, we introduce the terminology used in this document. In
<a href="#section-3">Section 3</a>, we introduce and define a tools matrix and define the IP
Layer 3 connectivity requirements. In <a href="#section-4">Section 4</a>, we discuss wide
scale Dual-IP layer use within an enterprise. In <a href="#section-5">Section 5</a>, we
discuss sparse Dual-IP layer deployment within an enterprise. In
<a href="#section-6">Section 6</a>, we discuss IPv6-dominant network deployment within the
enterprise. In <a href="#section-7">Section 7</a>, we discuss general issues and
applicability. In <a href="#section-8">Section 8</a>, a set of transition mechanisms that can
support the deployment of IPv6 with an enterprise are recommended.
This document then provides <a href="#appendix-A">Appendix A</a> for readers depicting a Crisis
Management enterprise network to demonstrate an enterprise network
example that requires all the properties as analyzed in Sections <a href="#section-3">3</a>,
4, 5, 6, and 7. In addition, we recommend that readers of this
document also read another use-case document to support an IPv6
Transition for a Campus Network [<a href="#ref-CAMP" title=""IPv6 Campus Transition Scenario Description and Analysis"">CAMP</a>].
Readers should also be aware that a parallel effort for an enterprise
to transition to IPv6 is training, but out of scope for this
document.
<span class="grey">Bound, et al. Informational [Page 4]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
<span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Terminology</span>
Enterprise Network - A network that has multiple internal links, and
one or more router connections to one or more
Providers, and is actively managed by a network
operations entity.
Provider - An entity that provides services and
connectivity to the Internet or other private
external networks for the enterprise network.
IPv6-capable - A node or network capable of supporting both
IPv6 and IPv4.
IPv4-only - A node or network capable of supporting only
IPv4.
IPv6-only - A node or network capable of supporting only
IPv6. This does not imply an IPv6 only stack in
this document.
Dual-IP - A network or node that supports both IPv4 and
IPv6.
IP-capability - The ability to support IPv6 only, IPv4 only, or
Dual-IP Layer
IPv6-dominant - A network running IPv6 routing and control plane
services that provides transport for both IPv4
and IPv6 protocol services
Transition - The network strategy the enterprise uses to
Implementation transition to IPv6.
<span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Enterprise Matrix Analysis for Transition</span>
In order to identify the best-suited transition mechanisms for an
enterprise, it is recommended that the enterprise have an in-depth
up-to-date understanding of its current IT environment. This
understanding will help choose the best-suited transition mechanisms.
It is important to note that one size does not fit all. Selection of
mechanisms that reduce the impact on the existing environment is
suggested. When selecting a transition mechanism, one must consider
the functionality required, its scalability characteristic, and the
security implications of each mechanism.
To provide context for an analysis of the transitioning enterprise at
Layer 3, we have provided a matrix that describes various scenarios
<span class="grey">Bound, et al. Informational [Page 5]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
which might be encountered during an IPv6 transition. The notional
enterprise network is comprised of hosts attached to an enterprise-
owned intranet(s) at two different global locations separated by the
Internet. The enterprise owns, operates, and maintains its own
intranetworks, but relies on an external provider organization that
offers Internet Service. Both local and destination intranetworks
are operated by different organizations within the same enterprise
and consequently could have different IP-capability than other
intranetworks at certain times in the transition period.
Addressing every possible combination of network IP-capability in
this notional enterprise network is impractical; therefore, trivial
notional networks (i.e., pure IPv4, pure IPv6, and ubiquitous Dual-
IP) are not considered. In addition, the authors could not conceive
of any scenarios involving IPv6-only ISPs or IPv6-only nodes in the
near term and consequently have not addressed scenarios with IPv6-
only ISPs or IPv6-only nodes. We assume all nodes that host IPv6
applications are Dual-IP. The matrix does not assume or suggest that
network address translation is used. The authors recommend that
network address translation not be used in these notional cases.
Future enterprise transitions that support IPv6-only nodes and IPv6-
only ISPs will require separate analysis, which is beyond the scope
of this document.
Table 1 below is a matrix of ten possible Transition Implementations
that, being encountered in an enterprise, may require analysis and
the selection of an IPv6 transition mechanism for that notional
network. Each possible implementation is represented by the rows of
the matrix. The matrix describes a set of notional networks as
follows:
- The first column represents the protocol used by the application
and, below, the IP-capability of the node originating the IP
packets.
(Application/Host 1 OS)
- The second column represents the IP-capability of the host
network wherein the node originated the packet.
(Host 1 Network)
- The third column represents the IP-capability of the service
provider network.
(Service Provider)
<span class="grey">Bound, et al. Informational [Page 6]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
- The fourth column represents the IP-capability of the
destination network wherein the originating IP packets are
received.
(Host 2 Network)
- The fifth column represents the protocol used by the application
and, below, the IP-capability of the destination node receiving
the originating IP packets.
(Application/Host 2 OS)
As an example, notional network 1 is an IPv6 application residing on
a Dual-IP layer host trying to establish a communications exchange
with a destination IPv6 application. To complete the information
exchange, the packets must first traverse the host's originating IPv4
network (intranet), then the service provider's and destination
host's Dual-IP network.
Obviously, Table 1 does not describe every possible scenario.
Trivial notional networks (such as pure IPv4, pure IPv6, and
ubiquitous Dual-IP) are not addressed. However, the authors feel
these ten scenarios represent the vast majority of transitional
situations likely to be encountered in today's enterprise.
Therefore, we will use these ten to address the analysis for
enterprise deployment.
<span class="grey">Bound, et al. Informational [Page 7]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
Table 1 - Enterprise Scenario Deployment Matrix
======================================================
|Application |Host 1 |Service |Host 2 |Application |
|----------- |Network|Provider|Network|---------- |
| Host 1 OS | | | | Host 2 OS |
=====================================+================
| IPv6 | |Dual IP | | IPv6 |
A | ---- | IPv4 | or |Dual IP| ---- |
| Dual IP | | IPv4 | | Dual IP |
======================================================
| IPv6 | | | | IPv6 |
B | ---- | IPv6 | IPv4 | IPv4 | ---- |
| Dual IP | | | | Dual IP |
======================================================
| IPv4 | | | | IPv4 |
C | ---- | IPv4 |Dual IP | IPv6 | ---- |
| Dual IP | | | | Dual IP |
======================================================
| IPv4 |Dual IP| | | IPv4 |
D | ---- | or | IPv4 | IPv6 | ---- |
| Dual IP | IPv6 | | | Dual IP |
======================================================
| IPv6 |Dual IP| |Dual IP| IPv4 |
E | ---- | or |Dual IP | or | ---- |
| Dual IP | IPv6 | | IPv6 | Dual IP |
======================================================
| IPv6 | | | | IPv4 |
F | ---- | IPv6 | IPv4 | IPv4 | ---- |
| Dual IP | | | | Dual IP |
======================================================
| IPv4 | | | | IPv6 |
G | ---- | IPv6 | Dual IP| IPv6 | ---- |
| Dual IP | | | | Dual IP |
======================================================
| IPv4 | | | | IPv6 |
H | ---- | IPv6 |Dual IP | IPv4 | ---- |
| IPv4 | | | | Dual IP |
======================================================
| IPv4 | | | | IPv6 |
I | ---- | IPv6 | IPv4 | IPv6 | ---- |
| IPv4 | | | | Dual IP |
======================================================
| IPv6 | | | | IPv4 |
J | ---- | IPv4 | IPv4 | IPv6 | ---- |
| Dual IP | | | | Dual IP |
======================================================
<span class="grey">Bound, et al. Informational [Page 8]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
The reader should note that Scenarios A-C in Table 1 are variations
of compatible hosts communicating across largely (but not entirely)
homogenous networks. In each of the first three scenarios, the
packet must traverse at least one incompatible network component.
For example, Scenario B represents an enterprise that wishes to use
IPv6 applications, but has yet to transition its internal networks;
its Service Provider also lags, offering only a v4 IP-service.
Conversely, Scenario C represents an enterprise that has completed
transition to IPv6 in its core networks (as has its Service
Provider), but continues to require a legacy IPv4-based application.
Scenario D represents the unusual situation where the enterprise has
transitioned its core intranetworks to IPv6, but (like Scenario B)
it's ISP provider has yet to transition. In addition, this
enterprise continues to retain critical legacy IPv4-based
applications that must communicate over this heterogeneous network
environment.
Scenarios E-J represent transitional situations wherein the
enterprise has both IPv4 and IPv6 based instantiations of the same
application that must continue to interoperate. In addition, these
scenarios show that the enterprise has not completed transition to
IPv6 in all its organic and/or Service Provider networks. Instead,
it maintains a variety of heterogeneous network segments between the
communicating applications. Scenarios E and J represent distinctly
different extremes on either end of the spectrum. In Scenario E, the
enterprise has largely transitioned to IPv6 in both its applications
and networks. However, Scenario E shows that a few legacy IPv4-based
applications may still be found in the enterprise. On the other
hand, Scenario J shows an enterprise that has begun its transition in
a very disjointed manner and, in which IPv6-based applications and
network segments are relatively rare.
<span class="grey">Bound, et al. Informational [Page 9]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
<span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Wide-Scale Dual-Stack Deployment Analysis</span>
In this section, we address Scenario 1 as described in Section 3.1 of
[<a href="#ref-BSCN" title=""IPv6 Enterprise Network Scenarios"">BSCN</a>]. The scenario, assumptions, and requirements are driven from
the [<a href="#ref-BSCN" title=""IPv6 Enterprise Network Scenarios"">BSCN</a>] text. This analysis further corresponds to Scenario A in
<a href="#section-3">Section 3</a> above (although Scenario A shows a transitional situation
wherein the enterprise has one network segment still lagging on
transition to Dual-IP).
Within these IPv6 deployment scenarios the enterprise network
administrator would introduce IPv6 by enabling IPv6 on the wire
(i.e., within the network infrastructure) in a structured fashion
with the existing IPv4 infrastructure. In such scenarios, a number
of the existing IPv4 routers (and thus subnets) will be made Dual-IP,
such that communications can run over either protocol.
Nodes on the Dual-IP links may themselves be IPv4-only or IPv6-
capable. The driver for deploying IPv6 on the wire may not be for
immediate wide-scale usage of IPv6, but rather to prepare an existing
IPv4 infrastructure to support IPv6-capable nodes. Thus, while IPv6
is not used, Dual-IP nodes exist, and the enterprise can be
transitioned to IPv6 on demand.
Analyzing this scenario against existing transition mechanisms for
their applicability suggests a staged approach for IPv6 deployment in
the enterprise.
<span class="h3"><a class="selflink" id="section-4.1" href="#section-4.1">4.1</a>. Staged Dual-Stack Deployment</span>
Under these scenarios (as well as most others), the site
administrator should formulate a staged plan for the introduction of
a Dual-IP IPv6 network. We suggest that <a href="#section-7">Section 7</a> of this document
provides a good basis for such a plan.
In an enterprise network, the administrator will generally seek to
deploy IPv6 in a structured, controlled manner, such that IPv6 can be
enabled on specific links at various stages of deployment. There may
be a requirement that some links remain IPv4 only, or some that
specifically should not have IPv6 connectivity (e.g., Scenario A of
Table 1). There may also be a requirement that aggregatable global
IPv6 addresses, assigned by the enterprise's upstream provider from
the address space allocated to them by the Regional Internet
Registries (RIRs), be assigned.
In this document, we do not discuss the deployment of Unique Local
IPv6 Unicast Addresses [<a href="#ref-ULA" title=""Unique Local IPv6 Unicast Addresses"">ULA</a>] because the address type and scope
selected is orthogonal to the Layer 3 analysis of this document.
<span class="grey">Bound, et al. Informational [Page 10]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
A typical deployment would initially involve the establishment of a
single "testbed" Dual-IP subnet at the enterprise site prior to wider
deployment. Such a testbed not only allows the IPv6 capability of
specific platforms and applications to be evaluated and verified, but
also permits the steps in Sections <a href="#section-7.3">7.3</a> and <a href="#section-7.4">7.4</a> of this document to be
undertaken without (potential) adverse impact on the production
elements of the enterprise.
<a href="#section-7.5">Section 7.5</a> describes the stages for the widespread deployment in the
enterprise, which could be undertaken after the basic building blocks
for IPv6 deployment are in place.
<span class="h3"><a class="selflink" id="section-4.2" href="#section-4.2">4.2</a>. Routing Capability Analysis for Dual-IP Deployment</span>
A critical part of Dual-IP deployment is the selection of the IPv6-
capable routing infrastructure to be implemented. The path taken
will depend on whether the enterprise has existing Layer 2/3
switch/router equipment that has an IPv6 (routing) capability, or
that can be upgraded to have such capability.
In <a href="#section-4">Section 4</a>, we are not considering sparse IPv6 deployment; the goal
of Dual-IP deployment is widespread use in the enterprise.
<span class="h4"><a class="selflink" id="section-4.2.1" href="#section-4.2.1">4.2.1</a>. IPv6 Routing Capability</span>
Where IPv6 routing capability exists within the infrastructure, the
network administrator can enable IPv6 on the same physical hardware
as the existing IPv4 service. Enabling both is the end-goal of any
enterprise to support Dual-IP deployment, when the capability,
performance, and robustness of the Dual-IP operational deployment has
been verified.
Ideally, the IPv6 capability will span the entire enterprise,
allowing deployment on any link or subnet. If not, techniques from
<a href="#section-4.4">Section 4.4</a> may be required.
<span class="h4"><a class="selflink" id="section-4.2.2" href="#section-4.2.2">4.2.2</a>. IPv6 Routing Non-Capability</span>
If the enterprise cannot provide IPv6 routing initially, there are
alternative methods for transition. In this case, the enterprise
administrator faces two basic choices, either to tunnel IPv6 over
some or all of the existing IPv4 infrastructure, or to deploy a
parallel IPv6 routing infrastructure providing IPv6 connectivity into
existing IPv4 subnets.
It may thus be the case that a node's IPv4 and IPv6 default routes to
reach other links (subnets) are through different routing platforms.
<span class="grey">Bound, et al. Informational [Page 11]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
<span class="h5"><a class="selflink" id="section-4.2.2.1" href="#section-4.2.2.1">4.2.2.1</a>. Tunnel IPv6 over the IPv4 infrastructure</span>
Consider the situation where there exists IPv6 edge routers that are
IPv6-capable, while others, and perhaps the enterprise backbone
itself, are not IPv6-capable (Scenario B of Table 1). Tunneling, as
described in [<a href="#ref-BCNF" title=""Basic Transition Mechanisms for IPv6 Hosts and Routers"">BCNF</a>], would be established between the Dual-IP capable
routers on the enterprise, thus "bypassing" existing non IPv6-capable
routers and platforms.
In the widespread Dual-IP scenario, a more structured, manageable
method is required, where the administrator has control of the
deployment per-link and (ideally) long-term, aggregatable global IPv6
addressing is obtained, planned, and used from the outset.
<span class="h5"><a class="selflink" id="section-4.2.2.2" href="#section-4.2.2.2">4.2.2.2</a>. Deploy a Parallel IPv6 Infrastructure</span>
Alternatively, the administrator may deploy a new, separate IPv6-
capable router (or set of routers). It is quite possible that such a
parallel infrastructure would be IPv6-dominant.
Such an approach would likely require additional hardware, but it has
the advantage that the existing IPv4 routing platforms are not
disturbed by the introduction of IPv6.
To distribute IPv6 to existing IPv4 enterprise subnets, either
dedicated physical infrastructure can be employed or, if available,
IEEE 802.1q VLANs could be used, as described in [<a href="#ref-VLAN" title=""Use of VLANs for IPv4-IPv6 Coexistence in Enterprise Networks"">VLAN</a>]. The latter
has the significant advantage of not requiring any additional
physical cabling/wiring and also offers all the advantages of VLANs
for the new Dual-IP environment. Many router platforms can tag
multiple VLAN IDs on a single physical interface based on the
subnet/link the packet is destined for; thus, multiple IPv6 links can
be collapsed for delivery on a single (or small number of) physical
IPv6 router interface(s) in the early stages of deployment.
The parallel infrastructure should only be seen as an interim step
towards full Dual-IP deployment on a unified infrastructure. The
parallel infrastructure however allows all other aspects of the IPv6
enterprise services to be deployed, including IPv6 addressing, thus
making the enterprise ready for that unifying step at a later date.
<span class="h3"><a class="selflink" id="section-4.3" href="#section-4.3">4.3</a>. Remote IPv6 Access to the Enterprise</span>
When the enterprise's users are off-site, and using an ISP that does
not support any native IPv6 service or IPv6 transition aids, the
enterprise may consider deploying it's own remote IPv6 access
support. Such remote support might for example be offered by
deployment of an IPv6 Tunnel Broker [<a href="#ref-TBRK" title=""IPv6 Tunnel Broker"">TBRK</a>].
<span class="grey">Bound, et al. Informational [Page 12]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
<span class="h3"><a class="selflink" id="section-4.4" href="#section-4.4">4.4</a>. Other Considerations</span>
There are some issues associated with turning IPv6 on by default,
including application connection delays, poor connectivity, and
network insecurity, as discussed in [<a href="#ref-V6DEF" title=""IPv6 Neighbor Discovery On-Link Assumption Considered Harmful"">V6DEF</a>]. The issues can be
worked around or mitigated by following the advice in [<a href="#ref-V6DEF" title=""IPv6 Neighbor Discovery On-Link Assumption Considered Harmful"">V6DEF</a>].
<span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Sparse Dual-Stack Deployment Analysis</span>
This section covers Scenario 2 as described in Section 3.1 of [<a href="#ref-BSCN" title=""IPv6 Enterprise Network Scenarios"">BSCN</a>].
This scenario assumes the requirements defined within the [<a href="#ref-BSCN" title=""IPv6 Enterprise Network Scenarios"">BSCN</a>]
text.
IPv6 deployment within the enterprise network, with an existing IPv4
infrastructure, could be motivated by mission-critical or business
applications or services that require IPv6. In this case, the
prerequisite is that only the nodes using those IPv6 applications
need to be upgraded to be IPv6-capable. The routing infrastructure
will not be upgraded to support IPv6, nor does the enterprise wish to
deploy a parallel IPv6 routing infrastructure at this point, since
this is an option in <a href="#section-4">Section 4</a>.
There is a need for end-to-end communication with IPv6, but the
infrastructure only supports IPv4 routing. Thus, the only viable
method for end-to-end communication with IPv6 is to tunnel the
traffic over the existing IPv4 infrastructure as defined in this
analysis document.
The network team needs to decide which of the available transition
tunneling mechanisms are the most efficient to deploy, so they can be
used without disrupting the existing IPv4 infrastructure. Several
conditions require analysis, as introduced in the following sub-
sections.
<span class="h3"><a class="selflink" id="section-5.1" href="#section-5.1">5.1</a>. Internal versus External Tunnel Endpoint</span>
Let's assume the upstream provider has deployed some IPv6 services,
either native IPv6 in its backbone or in the access network, or some
combination of both (Scenario B of Table 1). In this case, the
provider will likely also deploy one or more transition mechanisms to
support their IPv6 subscribers. Obviously, the enterprise could
decide to take advantage of those transition services offered from
the Provider. However, this will usually mean that individual nodes
in the network require their own IPv6-in-IPv4 tunnel. The end result
is somewhat inefficient IPv6 intranetworks communication, because all
IPv6 traffic must be forwarded by the enterprise's IPv4
infrastructure to the Tunnel Endpoint offered by the Provider.
Nevertheless, this may be acceptable, particularly if the IPv6
<span class="grey">Bound, et al. Informational [Page 13]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
applications do not require intranetworks communication at all -- for
example, when an application's server is located outside of the
enterprise network, or on other intranetworks of the same enterprise.
Alternatively, the enterprise could decide to deploy its own
transition mechanism node, possibly collocating it adjacent to the
border router that connects to the upstream Provider. In this case,
intranetnetworks communication using this tunnel endpoint is also
possible.
<span class="h3"><a class="selflink" id="section-5.2" href="#section-5.2">5.2</a>. Manual versus Autoconfigured</span>
If the number of nodes to be using IPv6 is low, the first option is
to use statically configured tunnels. However, automatically
configured tunnels may be preferable, especially if the number is
higher.
<span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. IPv6-Dominant Network Deployment Analysis</span>
In this section we are covering Scenario 3 as described in <a href="#section-3.1">Section</a>
<a href="#section-3.1">3.1</a> of [<a href="#ref-BSCN" title=""IPv6 Enterprise Network Scenarios"">BSCN</a>]. The scenario, assumptions, and requirements are
driven from the [<a href="#ref-BSCN" title=""IPv6 Enterprise Network Scenarios"">BSCN</a>] text. Within this document, this situation is
captured in Scenario C of Table 1.
Some enterprise networks may wish to employ an IPv6-dominant network
deployment strategy. What this means essentially is that the network
or specific sites within the enterprise network will transition to
IPv6 using only IPv6 routing to transfer both IPv4 and IPv6 packets
over the network, even though the network may be Dual-IP capable.
IPv4 routing would not be turned on within an IPv6-dominant network,
except if required to support edge IPv4 networks.
Under this scenario, communications between IPv6 nodes will use IPv6.
When IPv6-capable nodes in the IPv6-dominant network need to
communicate with IPv4 nodes, the IPv6 nodes will use their Dual-IP
implementation to tunnel IPv4 packets in IPv6 [<a href="#ref-V6TUN" title=""Generic Packet Tunneling in IPv6 Specification"">V6TUN</a>]. An edge
router within the IPv6-dominant network will decapsulate the IPv4
packet and route to the path of the IPv4 node on the network. This
permits Dual-IP layer nodes to communicate with legacy IPv4 nodes
within an IPv6-dominant network.
Scenarios E and F from Table 1 depict additional cases where an
IPv6-dominant deployment strategy could be in place. In Scenario E,
the entire network could be IPv6-dominant, but the Host OS 2 system
is running an IPv4 application. In Scenario F, the Host OS 1 system
network could be IPv6-dominant, but the rest of the networks are all
IPv4.
<span class="grey">Bound, et al. Informational [Page 14]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
In each case, communicating with an IPv4 end host or over an IPv4
network requires that a transition point exist within the network to
support that operation. Furthermore, the node in the IPv6-dominant
network must acquire an IPv4 address (to interoperate with the IPv4
end host), and locate a tunnel endpoint on their network which
permits the IPv4 packet to be tunneled to the next-hop IPv6 router
and eventually to a destination Dual-IP router.
While retaining interoperability with IPv4 is a noble goal for
enterprise architects, it is an unfortunate fact that maintaining
IPv4 services in an IPv6-dominant network slows and may even impede
your ability to reap the maximum benefits of IPv6.
The decision whether or not to use an IPv6-dominant network
deployment strategy is completely driven by the enterprise's business
and operational objectives and guided by the enterprise's transition
plan.
<span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. General Issues from Analysis</span>
In this section, we describe generic enterprise IPv6 deployment
issues, applicable to the analysis in Sections <a href="#section-4">4</a>-<a href="#section-6">6</a> of this document.
<span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Staged Plan for IPv6 Deployment</span>
The enterprise network administrator will need to follow a staged
plan for IPv6 deployment. What this means is that a strategic
identification of the enterprise network must be performed for all
points and components of the transition.
<span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Network Infrastructure Requirements</span>
The considerations for the enterprise components are detailed in
Section 3.2 of [<a href="#ref-BSCN" title=""IPv6 Enterprise Network Scenarios"">BSCN</a>]. We do not go into detail on all aspects of
such components in this document. In this document, we focus on
Layer 3 issues.
<span class="h3"><a class="selflink" id="section-7.3" href="#section-7.3">7.3</a>. Stage 1: Initial Connectivity Steps</span>
The first steps for IPv6 deployment do not involve technical aspects
per se; the enterprise needs to select an external IPv6 provider and
obtain globally routable IPv6 address space from that provider.
<span class="grey">Bound, et al. Informational [Page 15]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
<span class="h4"><a class="selflink" id="section-7.3.1" href="#section-7.3.1">7.3.1</a>. Obtaining External Connectivity</span>
The enterprise service provider would typically be a topographically
close IPv6 provider that is able to provide an IPv6 upstream link.
It would be expected that the enterprise would use either native IPv6
upstream connectivity or, in its absence, a manually configured
tunnel [<a href="#ref-BCNF" title=""Basic Transition Mechanisms for IPv6 Hosts and Routers"">BCNF</a>] to the upstream provider.
<span class="h4"><a class="selflink" id="section-7.3.2" href="#section-7.3.2">7.3.2</a>. Obtaining Global IPv6 Address Space</span>
The enterprise will obtain global IPv6 address space from its
selected upstream provider, as provider-assigned (PA) address space.
The enterprise should receive at least a /48 allocation from its
provider, as described in [<a href="#ref-ALLOC" title=""IAB/IESG Recommendations on IPv6 Address Allocations to Sites"">ALLOC</a>].
Should an enterprise change their provider, a procedure for
enterprise renumbering between providers is described in [<a href="#ref-RENUM" title=""Procedures for Renumbering an IPv6 Network without a Flag Day"">RENUM</a>].
<span class="h3"><a class="selflink" id="section-7.4" href="#section-7.4">7.4</a>. Stage 2: Deploying Generic Basic Service Components</span>
Most of these are discussed in Section 4 of [<a href="#ref-BSCN" title=""IPv6 Enterprise Network Scenarios"">BSCN</a>]. Here we comment
on those aspects that we believe are in scope for this analysis
document. Thus, we have not included network management,
multihoming, multicast, or application transition analysis here;
however, these aspects should be addressed in Stage 2.
<span class="h4"><a class="selflink" id="section-7.4.1" href="#section-7.4.1">7.4.1</a>. Developing an IPv6 Addressing Plan</span>
A site will need to formulate an IPv6 addressing plan, utilizing the
globally aggregatable public IPv6 prefix allocated to it by its
upstream connectivity provider.
In a Dual-IP deployment, the site will need to decide whether it
wishes to deploy IPv6 links to be congruent with existing IPv4
subnets. In this case, nodes will fall into the same links or
subnets for both protocols. Such a scheme could be followed, with
IPv6 prefix allocations being made such that room for topological
growth is provisioned (reducing the potential requirement for future
renumbering due to restructuring).
A beneficial property of IPv6 is that an administrator will not need
to invest as much effort in address conservation. With IPv4, a site
will likely allocate IPv4 subnets to be as small as possible for the
number of hosts currently in the subnet (e.g., a /26 for 50 nodes)
because IPv4 address conservation is required. This creates problems
<span class="grey">Bound, et al. Informational [Page 16]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
when the number of nodes on a subnet grows, larger IPv4 prefixes are
then required, and potentially time-consuming and disruptive
renumbering events will follow.
With IPv6, a link can in effect have any number of nodes, allowing
link growth without the need to adjust prefix allocations with the
associated renumbering requirement. The size of the initial site
allocation (currently recommended to be a /48) also is likely to
allow room for site growth without a need to return to the
connectivity provider to obtain more, potentially non-sequential,
address space (as is the case for IPv4 today, with the associated
paperwork and probable delays).
At the time of writing, best practice in IPv6 site address planning
is restricted due to limited wide-scale deployments. Administrators
should allocate /64 size prefixes for subnets, and do so in a way
that has scope for growth within a site. The site should utilize a
plan that reserves space for topological growth in the site, given
that its initial IPv6 prefix allocation (currently recommended to be
a /48) is likely to include such room for growth. Also see "IPv6
Unicast Address Assignment" [<a href="#ref-UNAD" title=""IPv6 Unicast Address Assignment"">UNAD</a>].
<span class="h4"><a class="selflink" id="section-7.4.2" href="#section-7.4.2">7.4.2</a>. IPv6 DNS</span>
The enterprise site should deploy a DNS service that is capable of
both serving IPv6 DNS records using the AAAA format [<a href="#ref-DNSV6R" title=""DNS Extensions to Support IP Version 6"">DNSV6R</a>] and
communicating over IPv6 transport.
Specific IPv6 DNS issues are reported in [<a href="#ref-DNSOP6" title=""Operational Considerations and Issues with IPv6 DNS"">DNSOP6</a>].
<span class="h4"><a class="selflink" id="section-7.4.3" href="#section-7.4.3">7.4.3</a>. IPv6 Routing</span>
The enterprise network will need to support methods for internal and
external routing.
For a single-homed single-site network, a static route to a single
upstream provider may be sufficient, although the site may choose to
use an exterior routing protocol, especially where it has multiple
upstream providers.
For internal routing, an appropriate interior routing protocol may be
deployed. IPv6 routing protocols that can be used are as follows:
BGP4+ [<a href="#ref-BGP4" title=""Multiprotocol Extensions for BGP-4"">BGP4</a>], IS-IS [<a href="#ref-ISIS" title=""OSI IS-IS Intra-domain Routing Protocol"">ISIS</a>], OSPFv3 [<a href="#ref-OSPF" title=""OSPF for IPv6"">OSPF</a>], and RIPng [<a href="#ref-RIPng" title=""RIPng for IPv6"">RIPng</a>].
<span class="grey">Bound, et al. Informational [Page 17]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
<span class="h4"><a class="selflink" id="section-7.4.4" href="#section-7.4.4">7.4.4</a>. Configuration of Hosts</span>
An enterprise network will have a number of tools available for the
delegation and management of IPv4 addresses and other configuration
information. These include manual configuration, NIS [<a href="#ref-NIS" title=""Network Information Service (NIS) Configuration Options for Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"">NIS</a>], and DHCP
[<a href="#ref-DHCPv4" title=""Dynamic Host Configuration Protocol"">DHCPv4</a>].
In an IPv6 enterprise, Stateless Address Autoconfiguration [<a href="#ref-CONF" title=""IPv6 Stateless Address Autoconfiguration"">CONF</a>] may
be used to configure a host with a global IPv6 address, a default
router, and on-link prefix information.
Where support for secure autoconfiguration is required, SEND [<a href="#ref-SEND" title=""SEcure Neighbor Discovery (SEND)"">SEND</a>]
can be used. Readers should see the applicability statements to
IPsec [<a href="#ref-IPSEC" title=""Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)"">IPSEC</a>] within the SEND document.
A stateless configured node wishing to gain other configuration
information (e.g., DNS, NTP servers) will likely need a Stateful
DHCPv6 [<a href="#ref-DHCPv6" title=""Dynamic Host Configuration Protocol for IPv6 (DHCPv6)"">DHCPv6</a>] service available.
For nodes configuring using DHCPv6, where DHCPv6 servers are offlink,
a DHCPv6 Relay Agent function will be required. Where DHCPv4 and
DHCPv6 service are deployed together, dual-stack considerations need
to be made, as discussed within current work on DHCP dual-stack
issues [<a href="#ref-DHDS" title=""Dynamic Host Configuration Protocol (DHCP): IPv4 and IPv6 Dual-Stack Issues"">DHDS</a>].
Hosts may also generate or request IPv6 Privacy Addresses [<a href="#ref-PRIVv6" title=""Privacy Extensions for Stateless Address Autoconfiguration in IPv6"">PRIVv6</a>];
there is support for DHCPv6 to assign privacy addresses to nodes in
managed environments.
<span class="h4"><a class="selflink" id="section-7.4.5" href="#section-7.4.5">7.4.5</a>. Security</span>
When deploying IPv6 within a Dual-IP network, a site will need to
implement its site security policy for IPv6-capable nodes as it does
for IPv4-capable nodes. For example, a border firewall should be
capable of filtering and controlling IPv6 traffic by enforcing the
same policy as it already does for IPv4.
However, a site will also need to review its security policy in light
of IPv6-specific functionality that will be deployed in the site,
e.g., Mobile IPv6, stateless autoconfiguration (and SEND), IPv6
Privacy Extensions, and end-to-end IPsec. In addition, a site will
need to review the use of globally aggregatable public address space
where, for IPv4, private addressing and NAT may have been used.
An overview of how Network Architecture Protection (NAP) using IPv6
can provide the same or more benefits without the need for NAT can be
found in [<a href="#ref-NAP" title=""Local Network Protection for IPv6"">NAP</a>]. This describes how the perceived security with IPv4
NAT can be achieved and surpassed with IPv6, i.e., how IPv6
<span class="grey">Bound, et al. Informational [Page 18]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
technology can be used to provide the market-perceived benefits of
IPv4 NAT.
Where deployed, intrusion detection systems will need to be enhanced
to check IPv6 transport both for known application layer attack
patterns and for new potential IPv6 threats, e.g., excessive hop-by-
hop headers or errant IPv6 header options.
The deployment of specific transition mechanisms may also introduce
threats, e.g., carrying IPv6 data tunneled in IPv4. The site
security policy should embrace the transition mechanisms that are
deployed.
An overview of IPv6 security issues can be found in [<a href="#ref-V6SEC" title=""IPv6 Transition/Co-existence Security Considerations"">V6SEC</a>]. This
includes discussion of issues specific to the IPv6 protocol, to
transition mechanisms, and to IPv6 deployment itself.
In addition, an enterprise should review all current host-based
security requirements for their networks and verify support for IPv6.
<span class="h3"><a class="selflink" id="section-7.5" href="#section-7.5">7.5</a>. Stage 3: Widespread Dual-Stack Deployment On-Site</span>
With the basic building blocks of external connectivity, interior
IPv6 routing, an IPv6 DNS service, and address allocation management
in place, the IPv6 capability can be rolled out to the wider
enterprise. This involves putting IPv6 on the wire in the desired
links, and enabling applications and other services to begin using an
IPv6 transport.
In the Dual-IP deployment case, this means enabling IPv6 on existing
IPv4 subnets. As described in <a href="#section-7.4.4">Section 7.4.4</a>, above, it is likely
that IPv6 links will be congruent with IPv4 subnets because IPv4
subnets tend to be created for geographic, policy, or administrative
reasons that would be IP version-independent.
While the use of IPv6 by some applications can be administratively
controlled (e.g., in the case of open source software by compiling
the application without IPv6 support enabled), the use of IPv6
transport, and preference over IPv4 transport, will vary per
application based on the developer/author's implementation.
A Dual-IP deployment will often be made by sites wishing to support
use of IPv6 within a site, even if IPv6 transport is not preferred by
all applications. Putting support for IPv6 in all site
infrastructure (DNS, email transport, etc.) allows IPv6 usage to be
phased in over time. As nodes become IPv6 capable, and applications
and services IPv6 enabled, the IPv6 capable infrastructure can be
leveraged. For most networks, Dual-IP will be at the very least a
<span class="grey">Bound, et al. Informational [Page 19]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
medium-term transition towards an IPv6-dominant future. However, the
introduction of IPv6 support, with the potential benefits of globally
aggregatable public address usage (with [<a href="#ref-NAP" title=""Local Network Protection for IPv6"">NAP</a>]) and other new IPv6
capabilities, can bring more immediate benefits for the site.
<span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Applicable Transition Mechanisms</span>
This section will provide general guidance for the use of specific
transition mechanisms which in turn can be used by the enterprise to
support the enterprise matrix notional networks (rows) in <a href="#section-3">Section 3</a>,
and within the context of the analysis discussed in Sections <a href="#section-4">4</a>, <a href="#section-5">5</a>,
and 6.
Table 1 provides a number of common scenarios that an enterprise
architect might encounter as they consider how and where they should
consider deploying transition mechanisms to support the network
transition to IPv6. Selecting the most appropriate mechanism for
each scenario is more of an art than a science and consequently
making recommendations against each of the ten scenarios would be
simply fodder for sharpshooters touting their favored product.
However we can provide some high-level guidance that should benefit
the architect's decision-making process.
<span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Recognizing Incompatible Network Touchpoints</span>
Mapping your specific situation into one of the ten scenarios of
Table 1 is far less important than recognizing the critical
touchpoints within the enterprise networks where incompatible
networks interface. Unless a transition mechanism is being offered
by the enterprise as a service, it is at these touchpoints that a
mechanism must be considered.
A quick review of Table 1 reveals that the ten scenarios can be
boiled down to variations of four major themes. The simplest, but
also most favored (due to its flexibility), is widespread Dual-IP
with compatible hosts at either end. This situation is illustrated
in Scenario A, and transition mechanism considerations have already
been described in some detail in <a href="#section-4">Section 4</a>.
In the second common theme (depicted in Scenarios B-D of Table 1),
the enterprise is comprised of compatible hosts, with one or more
incompatible network touchpoints in between. As described in <a href="#section-4.2.2.1">Section</a>
<a href="#section-4.2.2.1">4.2.2.1</a>, tunneling can be used to "bypass" the incompatible network
segments. One tunneling option, manually configured tunnels [<a href="#ref-BCNF" title=""Basic Transition Mechanisms for IPv6 Hosts and Routers"">BCNF</a>]
could be used by the enterprise, but as the name implies, this
mechanism provides no automated tunnel configuration.
<span class="grey">Bound, et al. Informational [Page 20]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-21" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
"Connection of IPv6 Domains via IPv4 Clouds" [<a href="#ref-6TO4" title=""Connection of IPv6 Domains via IPv4 Clouds"">6TO4</a>] can be used to
support enterprises that do not have an assigned IPv6 prefix address.
Identifying the responsible device to perform the tunneling is driven
by the position of the incompatible touchpoint. If a local network
is incompatible, then host tunneling is appropriate. If the backbone
(provider) network is incompatible, then gateway-to-gateway tunneling
might be a better choice. By working to ensure tunnel endpoints are
always configured at Dual-IP devices, end-to-end communication or
services (IPv4 or IPv6) can be preserved.
Readers should review the current work regarding tunnels within the
IETF Softwire working group and problem statement [<a href="#ref-SOFTW" title=""Softwire Problem Statement"">SOFTW</a>].
Having IPv6 applications on a Dual-IP host on a v4-only network
requires some form of tunneling. Where configured tunnels are not
sufficient, a more automatic solution may be appropriate. Available
solutions include the Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP) [<a href="#ref-ISTP" title=""Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)"">ISTP</a>] or Teredo [<a href="#ref-TRDO" title=""Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)"">TRDO</a>] to tunnel to a v6 end service.
ISATAP [<a href="#ref-ISTP" title=""Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)"">ISTP</a>] can be used to provide end-node IPv6 connectivity from
nodes on an isolated IPv4 network, through the use of automatic
tunneling of IPv6 in IPv4. Teredo [<a href="#ref-TRDO" title=""Teredo: Tunneling IPv6 over UDP through Network Address Translations (NATs)"">TRDO</a>] can be used when the
enterprise network is behind a NAT.
Enterprise architects should consider providing a Tunnel Broker
[<a href="#ref-TBRK" title=""IPv6 Tunnel Broker"">TBRK</a>] [<a href="#ref-TSPB" title=""IPv6 Tunnel Broker with the Tunnel Setup Protocol (TSP"">TSPB</a>] as a cost-effective service to local users or
applications. Tunnel Brokers can be used to provide tunnel setup for
an enterprise using manually configured tunnels and 6TO4 [<a href="#ref-6TO4" title=""Connection of IPv6 Domains via IPv4 Clouds"">6TO4</a>].
Tunnel Brokers can automate the use of tunnels across an enterprise
deploying IPv6.
Later in the transition process, after the enterprise has
transitioned to a predominately IPv6 infrastructure, the architect
will need to determine a network transition strategy to tunnel IPv4
within IPv6 [<a href="#ref-V6TUN" title=""Generic Packet Tunneling in IPv6 Specification"">V6TUN</a>] across IPv6-dominant links, or the enterprise
Intranet. Or in the case of early deployment of IPv6-dominant
networks, the architect will need to address this from the beginning
of the required transition planning.
<span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Recognizing Application Incompatibilities</span>
Having recognized incompatible network touchpoints, it is also
incumbent on the architect to identify application incompatibilities.
During the transition period, particularly for large enterprises, it
is to be expected that an application hosted at one location may lead
(or lag) the IPv6-compatibility of its peer (or server) at some other
location.
<span class="grey">Bound, et al. Informational [Page 21]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-22" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
This leads us to the third theme (represented by Scenarios E and G):
incompatible applications communicating across a homogenous network.
Translation is an obvious solution, but not recommended except for
legacy devices that are at the network edge and cannot or never will
be upgraded to IPv6. A more scalable solution would be to use an
Application Layer Gateway (ALG) between the incompatible hosts.
<span class="h3"><a class="selflink" id="section-8.3" href="#section-8.3">8.3</a>. Using Multiple Mechanisms to Support IPv6 Transition</span>
Inevitably, during the course of transitioning a large enterprise to
IPv6, the architect will be faced with both incompatible hosts and
simultaneously (at different parts of the enterprise) incompatible
networks. These highly complex situations represent the fourth
common theme in Table 1 (specifically depicted by Scenarios F, H, I,
and J). Maintaining IP interoperability in these situations requires
additional planning and may require multiple or even nested use of
diverse transition mechanisms. For example, an ALG collocated with
the application server may be required to service both IPv4 and IPv6
data streams that are simultaneously tunneled through incompatible
network segment(s).
<span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. Security Considerations</span>
Security considerations for IPv6 deployment in a Dual-IP environment
are discussed above in <a href="#section-7.4.5">Section 7.4.5</a>, where external references to
overview documents [<a href="#ref-V6SEC" title=""IPv6 Transition/Co-existence Security Considerations"">V6SEC</a>] [<a href="#ref-NAP" title=""Local Network Protection for IPv6"">NAP</a>] are also included.
<span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. References</span>
<span class="h3"><a class="selflink" id="section-10.1" href="#section-10.1">10.1</a>. Normative References</span>
[<a id="ref-CONF">CONF</a>] Thomson, S. and T. Narten, "IPv6 Stateless Address
Autoconfiguration", <a href="./rfc2462">RFC 2462</a>, December 1998.
[<a id="ref-DHCPv6">DHCPv6</a>] Droms, R., Ed., Bound, J., Volz, B., Lemon, T., Perkins, C.,
and M. Carney, "Dynamic Host Configuration Protocol for IPv6
(DHCPv6)", <a href="./rfc3315">RFC 3315</a>, July 2003.
[<a id="ref-6TO4">6TO4</a>] Carpenter, B. and K. Moore, "Connection of IPv6 Domains via
IPv4 Clouds", <a href="./rfc3056">RFC 3056</a>, February 2001.
[<a id="ref-BSCN">BSCN</a>] Bound, J., Ed., "IPv6 Enterprise Network Scenarios", <a href="./rfc4057">RFC</a>
<a href="./rfc4057">4057</a>, June 2005.
[<a id="ref-TRDO">TRDO</a>] Huitema, C., "Teredo: Tunneling IPv6 over UDP through
Network Address Translations (NATs)", <a href="./rfc4380">RFC 4380</a>, February
2006.
<span class="grey">Bound, et al. Informational [Page 22]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-23" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
[<a id="ref-ISTP">ISTP</a>] Templin, F., Gleeson, T., Talwar, M., and D. Thaler,
"Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)",
<a href="./rfc4214">RFC 4214</a>, October 2005.
[<a id="ref-V6TUN">V6TUN</a>] Conta, A. and S. Deering, "Generic Packet Tunneling in IPv6
Specification", <a href="./rfc2473">RFC 2473</a>, December 1998.
[<a id="ref-TBRK">TBRK</a>] Durand, A., Fasano, P., Guardini, I., and D. Lento, "IPv6
Tunnel Broker", <a href="./rfc3053">RFC 3053</a>, January 2001.
[<a id="ref-ALLOC">ALLOC</a>] IAB and IESG, "IAB/IESG Recommendations on IPv6 Address
Allocations to Sites", <a href="./rfc3177">RFC 3177</a>, September 2001.
[<a id="ref-NATPT">NATPT</a>] Tsirtsis, G. and P. Srisuresh, "Network Address Translation
- Protocol Translation (NAT-PT)", <a href="./rfc2766">RFC 2766</a>, February 2000.
[<a id="ref-UMAN">UMAN</a>] Huitema, C., Austein, R., Satapati, S., and R. van der Pol,
"Evaluation of IPv6 Transition Mechanisms for Unmanaged
Networks", <a href="./rfc3904">RFC 3904</a>, September 2004.
[<a id="ref-ISPA">ISPA</a>] Lind, M., Ksinant, V., Park, S., Baudot, A., and P. Savola,
"Scenarios and Analysis for Introducing IPv6 into ISP
Networks", <a href="./rfc4029">RFC 4029</a>, March 2005.
[<a id="ref-3GPA">3GPA</a>] Wiljakka, J., Ed., "Analysis on IPv6 Transition in Third
Generation Partnership Project (3GPP) Networks", <a href="./rfc4215">RFC 4215</a>,
October 2005.
[<a id="ref-OSPF">OSPF</a>] Coltun, R., Ferguson, D., and J. Moy, "OSPF for IPv6", <a href="./rfc2740">RFC</a>
<a href="./rfc2740">2740</a>, December 1999.
[<a id="ref-BGP4">BGP4</a>] Bates, T., Chandra, R., Katz, D., and Y. Rekhter,
"Multiprotocol Extensions for BGP-4", <a href="./rfc4760">RFC 4760</a>, January
2007.
[<a id="ref-ISIS">ISIS</a>] Oran, D., Ed., "OSI IS-IS Intra-domain Routing Protocol",
<a href="./rfc1142">RFC 1142</a>, February 1990.
[<a id="ref-RIPng">RIPng</a>] Malkin, G. and R. Minnear, "RIPng for IPv6", <a href="./rfc2080">RFC 2080</a>,
January 1997.
[<a id="ref-APPS">APPS</a>] Shin, M-K., Ed., Hong, Y-G., Hagino, J., Savola, P., and E.
Castro, "Application Aspects of IPv6 Transition", <a href="./rfc4038">RFC 4038</a>,
March 2005.
[<a id="ref-RENUM">RENUM</a>] Baker, F., Lear, E., and R. Droms, "Procedures for
Renumbering an IPv6 Network without a Flag Day", <a href="./rfc4192">RFC 4192</a>,
September 2005.
<span class="grey">Bound, et al. Informational [Page 23]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-24" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
[<a id="ref-BCNF">BCNF</a>] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
for IPv6 Hosts and Routers", <a href="./rfc4213">RFC 4213</a>, October 2005.
[<a id="ref-ULA">ULA</a>] Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
Addresses", <a href="./rfc4193">RFC 4193</a>, October 2005.
[<a id="ref-DNSOP6">DNSOP6</a>] Durand, A., Ihren, J., and P. Savola, "Operational
Considerations and Issues with IPv6 DNS", <a href="./rfc4472">RFC 4472</a>, April
2006.
[<a id="ref-DNSV6R">DNSV6R</a>] Thomson, S., Huitema, C., Ksinant, V., and M. Souissi, "DNS
Extensions to Support IP Version 6", <a href="./rfc3596">RFC 3596</a>, October 2003.
[<a id="ref-NIS">NIS</a>] Kalusivalingam, V., "Network Information Service (NIS)
Configuration Options for Dynamic Host Configuration
Protocol for IPv6 (DHCPv6)", <a href="./rfc3898">RFC 3898</a>, October 2004.
[<a id="ref-DHCPv4">DHCPv4</a>] Droms, R., "Dynamic Host Configuration Protocol", <a href="./rfc2131">RFC 2131</a>,
March 1997.
[<a id="ref-IPSEC">IPSEC</a>] Eastlake 3rd, D., "Cryptographic Algorithm Implementation
Requirements for Encapsulating Security Payload (ESP) and
Authentication Header (AH)", <a href="./rfc4305">RFC 4305</a>, December 2005.
[<a id="ref-SEND">SEND</a>] Arkko, J., Ed., Kempf, J., Zill, B., and P. Nikander,
"SEcure Neighbor Discovery (SEND)", <a href="./rfc3971">RFC 3971</a>, March 2005.
[<a id="ref-PRIVv6">PRIVv6</a>] Narten, T. and R. Draves, "Privacy Extensions for Stateless
Address Autoconfiguration in IPv6", <a href="./rfc3041">RFC 3041</a>, January 2001.
<span class="h3"><a class="selflink" id="section-10.2" href="#section-10.2">10.2</a>. Informative References</span>
[<a id="ref-TSPB">TSPB</a>] Blanchet, M., and F. Parent, "IPv6 Tunnel Broker with the
Tunnel Setup Protocol (TSP", Work in Progress, August 2005.
[<a id="ref-V6SEC">V6SEC</a>] Davies, E., Krishnan, S., and P. Savola, "IPv6
Transition/Co-existence Security Considerations", Work in
Progress, October 2006.
[<a id="ref-NAP">NAP</a>] Van de Velde, G., Hain, T., Droms, R., Carpenter, B., and E.
Klein, "Local Network Protection for IPv6", Work in
Progress, January 2007.
[<a id="ref-CAMP">CAMP</a>] Chown, T., "IPv6 Campus Transition Scenario Description and
Analysis", Work in Progress, March 2007.
<span class="grey">Bound, et al. Informational [Page 24]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-25" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
[<a id="ref-DHDS">DHDS</a>] Chown, T., Venaas, S., and C. Strauf, "Dynamic Host
Configuration Protocol (DHCP): IPv4 and IPv6 Dual-Stack
Issues", <a href="./rfc4477">RFC 4477</a>, May 2006.
[<a id="ref-UNAD">UNAD</a>] Van de Velde, G., Popoviciu, C., and T. Chown, "IPv6 Unicast
Address Assignment", Work in Progress, March 2007.
[<a id="ref-VLAN">VLAN</a>] Chown, T., "Use of VLANs for IPv4-IPv6 Coexistence in
Enterprise Networks", <a href="./rfc4554">RFC 4554</a>, June 2006.
[<a id="ref-V6DEF">V6DEF</a>] Roy, S., Durand, A., and J. Paugh, "IPv6 Neighbor Discovery
On-Link Assumption Considered Harmful", Work in Progress,
January 2006.
[<a id="ref-SOFTW">SOFTW</a>] Dawkins, S., Ed., <a style="text-decoration: none" href='https://www.google.com/search?sitesearch=datatracker.ietf.org%2Fdoc%2Fhtml%2F&q=inurl:draft-+%22Softwire+Problem+Statement%22'>"Softwire Problem Statement"</a>, Work in
Progress, March 2007.
<span class="h2"><a class="selflink" id="section-11" href="#section-11">11</a>. Acknowledgments</span>
The authors would like to acknowledge contributions from the
following: IETF v6ops Working Group members, Fred Baker, Pekka
Savola, and Jordi Palet
<span class="grey">Bound, et al. Informational [Page 25]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-26" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
<span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Crisis Management Network Scenarios</span>
<span class="h3"><a class="selflink" id="appendix-A.1" href="#appendix-A.1">A.1</a>. Introduction</span>
This appendix first describes different scenarios for the
introduction of IPv6 into a crisis management network for emergency
services, defense, or security forces that are currently running IPv4
service. Then, the scenarios for introducing IPv6 are analyzed, and
the relevance of already defined transition mechanisms are evaluated.
Known challenges are also identified.
When a crisis management enterprise deploys IPv6, its goal is to
provide IPv6 connectivity on its institutional fixed networks and on
the mobile wireless services that are deployed to a crisis area. The
new IPv6 service must be added to an already existing IPv4 service,
the introduction of IPv6 must not interrupt this IPv4 service, and
the IPv6 services must be interoperable with existing IPv4 services.
Crisis management enterprises accessing IPv4 service across mobile
ground networks, airborne networks, and satellites will find
different ways to add IPv6 to this service based on their network
architecture, funding, and institutional goals. This document
discusses a small set of scenarios representing the architectures for
IPv6 expected to be dominant in crisis management networks during the
next decade. This document evaluates the relevance of the existing
transition mechanisms in the context of these deployment scenarios,
and points out the lack of essential functionality within these
methods for a provider to support IPv6 services for these scenarios.
The document focuses on services that include both IPv6 and IPv4 and
does cover issues surrounding accessing IPv4 services across IPv6-
only networks. It is outside the scope of this document to describe
detailed implementation plans for IPv6 in defense networks.
<span class="h3"><a class="selflink" id="appendix-A.2" href="#appendix-A.2">A.2</a>. Scenarios for IPv6 Deployment in Crisis Management Networks</span>
Scenario 1: Limited IPv6 Deployment Network
Sparse IPv6 dual-stack deployment in an existing IPv4 network
infrastructure. Enterprise with an existing IPv4 network wants to
deploy a set of particular IPv6 "applications" and have some ability
to interoperate with other institutions that are using IPv6 services.
The IPv6 deployment is limited to the minimum required to operate
this set of applications.
Assumptions: IPv6 software/hardware components for the application
are available, and platforms for the application are IPv6 capable.
<span class="grey">Bound, et al. Informational [Page 26]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-27" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
Requirements: Do not disrupt IPv4 infrastructure.
Scenario 2: Dual-Stack Network
Wide-scale/total dual-stack deployment of IPv4 and IPv6 capable hosts
and network infrastructure. Enterprise with an existing IPv4 network
wants to deploy IPv6 in conjunction with their IPv4 network in order
to take advantage of emerging IPv6 network-centric capabilities and
to be interoperable with other agencies, international partners, and
commercial enterprises that are deploying an IPv6 architecture.
Assumptions: The IPv4 network infrastructure used has an equivalent
capability in IPv6.
Requirements: Do not disrupt existing IPv4 network infrastructure
with IPv6. IPv6 should be equivalent or "better" than the network
infrastructure in IPv4. It may not be feasible to deploy IPv6 on all
parts of the network immediately. Dual-stacked defense enterprise
network must be interoperable with both IPv4 and IPv6 networks and
applications.
Scenario 3: IPv6-Dominant Network
Enterprise has some limited IPv4-capable/only nodes/applications
needing to communicate over the IPv6 infrastructure. Crisis
management enterprise re-structuring an existing network, decides to
pursue aggressive IPv6 transition as an enabler for network-centric
services and wants to run some native IPv6-only networks to eliminate
cost/complexity of supporting a dual stack. Some legacy IPv4 capable
nodes/applications within the enterprise will have slow technical
refresh/replacement paths and will need to communicate over the IPv6
dominant infrastructure for years until they are replaced. The
IPv6-dominant enterprise network will need to be interoperable with
its own legacy networks, commercial networks, and the legacy networks
of similar organizations that will remain IPv4-dominant during a long
transition period. Reserve units, contractors, other agencies, and
international partners may need IPv4 service across this enterprise's
IPv6-dominant backbone.
Assumptions: Required IPv6 network infrastructure is available, or
available over some defined timeline, supporting the aggressive
transition plan.
Requirements: Reduce operation and maintenance requirements and
increase net-centricity through aggressive IPv6 transition.
Interoperation and coexistence with legacy IPv4 networks and
applications is required. Legacy IPv4 nodes/applications/networks
will need to be able to operate across the IPv6 backbone and need to
<span class="grey">Bound, et al. Informational [Page 27]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-28" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
be able to interoperate with the IPv6-dominant network's
nodes/applications.
<span class="h3"><a class="selflink" id="appendix-A.3" href="#appendix-A.3">A.3</a>. Description of a Generic Crisis Management Network</span>
A generic network topology for crisis management reflects the various
ways a crisis management network can connect customers through their
network infrastructure. Because the institution's existing wired and
fixed-site wireless infrastructure can be destroyed or unavailable in
a crisis, the crisis management network must be able to deploy its
own mobile wireless network or connect through external wired and
wireless networks provided by ISPs or partner organizations. This
infrastructure lets us divide the basic areas for IPv4/IPv6
interoperability into three main areas: the customer applications,
the local network, and the network backbone.
The basic components in a crisis management network are depicted in
Figure 1.
------------ ---------- ---- Wired Connection
| Network and| | | .... Wireless Connection
| Service |--| Backbone |
| Operation | | |
------------ ----------
/ | ---------------------
/ : _|Connection to |
/ : |Commercial Internet |
/ : ---------------------
Network Backbone
-------------- /------|-------------|--------------------
---------- / ---------- ----------
| Home |/ | Wireless | |External |.............
| Base | | Mobile | |Untrusted |+--------- :
| Network | | Network | |Network | | :
---------- ---------- ---------- | :
| : : | :
Local Network
-----:------------:-----------------------------------
Customer Applications
| : : | :
+--------+ +--------+ +--------+ | :
| | | | | | | :
|Customer| |Customer| |Customer|+----------- :
| | | | | |..............
+--------+ +--------+ +--------+
Figure 1: Crisis Management Network Topology.
<span class="grey">Bound, et al. Informational [Page 28]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-29" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
<span class="h3"><a class="selflink" id="appendix-A.4" href="#appendix-A.4">A.4</a>. Stages of IPv6 Deployment</span>
The stages are derived from the generic description of scenarios for
crisis management networks in <a href="#section-2">Section 2</a>. Combinations of different
building blocks that constitute a crisis network environment lead to
a number of scenarios from which the network engineers can choose.
The scenarios most relevant to this document are those that maximize
the network's ability to offer IPv6 to its customers in the most
efficient and feasible way. In the first three stages, the goal is
to offer both IPv4 and IPv6 to the customer, and it is assumed that
in the distant future, all IPv4 services will be eventually switched
to IPv6. This document will cover engineering the first four stages.
The four most probable stages are:
o Stage 1 Limited Launch
o Stage 2 Dual-Stack Dominance
o Stage 3 IPv6 Dominance
o Stage 4 IPv6 Transition Complete
Generally, a crisis management network is able to entirely upgrade a
current IPv4 network to provide IPv6 services via a dual-stack
network in Stage 2 and then slowly progress to Stages 3 and 4 as
indicated in Figure 2. During Stage 2, when most applications are
IPv6 dominant, operational and maintenance costs can be reduced on
some networks by moving to Stage 3 and running backbone networks
entirely on IPv6, while adding IPv4 backwards compatibility via v4 in
v6 tunneling or translation mechanisms to the existing configuration
from Stage 2. When designing a new network, if a new IPv6-only
service is required, it can be implemented at a lower cost by jumping
directly to Stage 3/4 if there are only limited or no legacy
concerns.
Stage 1: Limited Launch
The first stage begins with an IPv4-only network and IPv4 customers.
This is the most common case today and the natural starting point for
the introduction of IPv6. During this stage, the enterprise begins
to connect individual IPv6 applications run on dual-stacked hosts
through host-based tunneling using Tunnel Broker, ISATAP, or Teredo.
Some early adopter networks are created for pilot studies and
networked together through configured tunnels and 6to4.
The immediate first step consists of obtaining a prefix allocation
(typically a /32) from the appropriate RIR (e.g., AfriNIC, APNIC,
ARIN, LACNIC, RIPE) according to allocation procedures.
<span class="grey">Bound, et al. Informational [Page 29]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-30" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
The crisis management enterprise will also need to establish IPv6
connectivity between its home base networks and mobile wireless
networks over its backbone. It will need to negotiate IPv6 service
with its service providers and with peer organizations; it is of
utmost importance to require IPv6 capability or an upgrade plan when
negotiating purchases of network applications and infrastructure. In
the short term, network connections, especially legacy wireless
networks that cannot provide IPv6 services, can provide IPv6 services
through the use of tunnels. However, the longer-term goal must be
requiring and obtaining IPv6 native connectivity from the transit
networks. Otherwise, the quality of IPv6 connectivity will likely be
poor and the transition to Stage 2 will be delayed.
Stage 2: Dual-Stack Dominance
Stage 2 occurs when most applications, local networks, and network
backbones become dual-stacked so that native IPv6 connections are
enabled. At this point there is a mix of IPv4 and IPv6 applications
and services in use across the enterprise. The enterprise may be
made IPv6-capable through either software upgrades, hardware
upgrades, or a combination of both. Generally IPv6 is added during
normal technical refresh as the enterprise buys new equipment that is
IPv6 ready.
Specialty legacy applications and wireless/satellite networks may be
especially slow to transition to IPv6 capability due to upgrade
costs, so plans must be made for backwards compatibility for these
systems. Since some new IPv6 services cannot be provided through
IPv4, and some legacy network connections may not yet be upgraded,
tunneling mechanisms have to be provided on the backbone to provide
IPv6 connectivity through to customer IPv6 applications still relying
on legacy IPv4-only networks. The tunnels may provide host-based
tunneling for individual customers or site-to-site tunnels to connect
small IPv6 domains through IPv4-only networks. If any new
applications are IPv6-only rather than dual-stacked, and need to
interact with IPv4-only legacy applications, translators will be used
as a transition mechanism of last resort during this stage.
Stage 3: IPv6 Dominance
Applications are deployed specifically to use IPv6 as benefit; thus,
network backbone and nodes use IPv6 and not IPv4, except where IPv4
is legacy.
<span class="grey">Bound, et al. Informational [Page 30]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-31" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
Authors' Addresses
Jim Bound
HP
110 Spitbrook Road
Nashua, NH 03062
USA
Phone: 603.465.3130
EMail: jim.bound@hp.com
Yanick Pouffary
HP Competency Center
950, Route des Colles, BP027,
06901 Sophia Antipolis CEDEX
FRANCE
Phone: + 33492956285
EMail: Yanick.pouffary@hp.com
Tim Chown
School of Electronics and Computer Science
University of Southampton
Southampton SO17 1BJ
United Kingdom
EMail: tjc@ecs.soton.ac.uk
David Green
Command Information
13655 Dulles Technology Drive
Suite 500
Herndon, VA 20171
USA
Phone: 703.561.5937
EMail: green@commandinformation.com
Steve Klynsma
The MITRE Corporation
7515 Colshire Drive
McLean, VA 22102-5708
USA
Phone: 703-883-6469
EMail: sklynsma@mitre.org
<span class="grey">Bound, et al. Informational [Page 31]</span></pre>
<hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-32" ></span>
<span class="grey"><a href="./rfc4852">RFC 4852</a> IPv6 Enterprise Network Analysis April 2007</span>
Full Copyright Statement
Copyright (C) The IETF Trust (2007).
This document is subject to the rights, licenses and restrictions
contained in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a>, and except as set forth therein, the authors
retain all their rights.
This document and the information contained herein are provided on an
"AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Intellectual Property
The IETF takes no position regarding the validity or scope of any
Intellectual Property Rights or other rights that might be claimed to
pertain to the implementation or use of the technology described in
this document or the extent to which any license under such rights
might or might not be available; nor does it represent that it has
made any independent effort to identify any such rights. Information
on the procedures with respect to rights in RFC documents can be
found in <a href="https://www.rfc-editor.org/bcp/bcp78">BCP 78</a> and <a href="https://www.rfc-editor.org/bcp/bcp79">BCP 79</a>.
Copies of IPR disclosures made to the IETF Secretariat and any
assurances of licenses to be made available, or the result of an
attempt made to obtain a general license or permission for the use of
such proprietary rights by implementers or users of this
specification can be obtained from the IETF on-line IPR repository at
<a href="http://www.ietf.org/ipr">http://www.ietf.org/ipr</a>.
The IETF invites any interested party to bring to its attention any
copyrights, patents or patent applications, or other proprietary
rights that may cover technology that may be required to implement
this standard. Please address the information to the IETF at
ietf-ipr@ietf.org.
Acknowledgement
Funding for the RFC Editor function is currently provided by the
Internet Society.
Bound, et al. Informational [Page 32]
</pre>
|
