Enabling IPv 6 in the Enterprise R Kevin

Enabling IPv 6 in the Enterprise R. Kevin Oberman Sr. Network Engineer ESCC Meeting Clemson University February 3, 2011

IPv 6 and ESnet Public Services • ESnet runs IPv 6 capable public services including: - DNS - NTP - Mail - Web • Meets all requirements of OMB IPv 6 mandate for 2012 • This also requires that our IDS/RTBH handle IPv 6 • Management tools must be IPv 6 capable - We already SNMP statistics via IPv 6 9/8/2021 Lawrence Berkeley National Laboratory 2 U. S. Department of Energy | Office of Science

Getting ready • Confirm IPv 6 readiness of any required management and/or security tools with vendors • (Yes, hackers know about IPv 6) • Resolve any issues you might discover • Set up a test system • Best to have it outside of your firewall • Turn off IPv 4 while testing to IPv 6 services - This will catch any missed IPIv 4 dependencies like embedded IPv 4 addreses Lawrence Berkeley National Laboratory U. S. Department of Energy | Office of Science

IPv 6 Transition Checklist The basic guidelines in this presentation are detailed at: http: //www. es. net/hypertext/IPv 6 -transition-checklist. html Lawrence Berkeley National Laboratory U. S. Department of Energy | Office of Science

Start with DNS is key to enabling IPv 6 • Most server software can do IPv 6 with only configuration change - One line in named. conf for BIND - Similar for NSD - Don’t know about Microsoft • Until “glue” is placed in the parent, it has NO production impact, but will allow testing - Due to lack of impact, I suggest just turning it on - Allows queries over IPv 6 - Responses are unaffected Lawrence Berkeley National Laboratory U. S. Department of Energy | Office of Science

Add AAAA records • AAAA records effectively “turn on” IPv 6 to a server • Add them to publicly available servers or views ONLY when you are ready for IPv 6 access to services! • ACLs are strongly recommended for testing - Easily maintained for access from a small, well defined set of clients - Easier to set up for short term use than views Lawrence Berkeley National Laboratory U. S. Department of Energy | Office of Science

Test, test, and test some more • Before you allow public access to the IPv 6 service, testing is critical • Allow staff to access the IPv 6 services on a selective basis - This requires enabling IPv 6 on these systems • Run security tests from an external system Lawrence Berkeley National Laboratory U. S. Department of Energy | Office of Science