If World IPv6 Day and other recent IPv6 publicity have convinced you that your network needs IPv6 now, I offer this advice– carefully plan your IPv6 deployment. Many of us have experienced the thrill of an exciting gift requiring assembly and quickly attempted to put it together without reading the instructions. Does this ever work out well? Rarely. The same holds true for deploying IPv6. The perils of rushing deployment are many. Here are a few that I’ve encountered.
Addressing – You are likely to regret your addressing plan if sufficient thought isn’t put into its creation. Develop a plan for addressing that fits the current and future needs of the network. The drivers that led us to skimp on IPv4 addresses no longer apply. I recommend encoding POP or geography into the addresses for troubleshooting. There are enough bits in IPv6 that you can even embed service identifying information (e.g., VoIP, content). Use static addresses on all router interfaces. Addresses obtained via stateless address autoconfiguration (SLAAC) do not belong on routers.
Infrastructure Protection- Did you remember to lock down your routers from unwanted IPv6 logins and DoS attacks aimed at the control plane? I’ve witnessed IPv6 deployments in which operator access was restricted for IPv4 addresses but completely open for IPv6. If your router vendor doesn’t offer IPv6 awareness for control plane protection/policing, interface access lists, and unicast reverse path check (uRPF), demand those features. The security challenges that IPv6 ushers in must not be overlooked.
Reverse DNS - Create the PTR records for your IPv6 address space on your DNS server. In many cases, converting in-addr.arpa zones to IP6.arpa zones is not difficult. Implement reverse DNS so that your network operations staff doesn’t have to guess at what routers are in the path of traceroute output. Depending on your IPv6 addressing scheme, the guesswork could be even more difficult with IPv6.
Distributing DNS server info – Assuming that users have an IPv4 stack for IPv6 DNS look up is a short-sighted design decision. A solid IPv6 deployment should include an IPv6 DNS server. Use DHCPv6 to distribute DNS server info. You may want to assign the well-known DNS addresses–fec0:000:0000:ffff::1, fec0:000:0000:ffff::2 and fec0:000:0000:ffff::3–as secondary addresses on your DNS server. Note that hese addresses fall into the site-local range, which has been deprecated. The effort involved in using them is minimal, and Windows 7 supports their use.
I’m certain that others can contribute to this list. We don’t have the years of widespread operational experience with IPv6 that we’ve accumulated with IPv4. We’ll get to that point quickly.
