V6ops Working Group Enterprise Network Scenarios Design Team INTERNET-DRAFT: draft-ietf-v6ops-entnet-scenarios-00.txt OBSOLETES : draft-pouffary-v6ops-ent-v6net-03.txt Yanick Pouffary (Chair) Jim Bound (Editor) Enterprise Networks Scenarios Design Team See Acknowledgements Section February 2003 IPv6 Enterprise Networks Scenarios Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/1id-abstracts.html The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 1] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 Abstract IPv6 will be deployed in Enterprise networks. This scenario has requirements for the adoption of IPv6. This document will focus upon and define: a set of technology scenarios that shall exist for the enterprise network, the set of transition variables, transition methods, and tools required by different scenarios. The document using these definitions will define the points of transition for an Enterprise network. draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 2] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 Table of Contents: 1. Introduction.................................................4 2. Requirements.................................................5 3. Terminology..................................................6 4. Enterprise Network Assumptions...............................7 5. Enterprise Network Scenarios Overview........................9 6. Enterprise Points of Transition Methods.....................11 6.1 M1: IPv4 Tunnels to Encapsulate IPv6....................11 6.2 M2: IPv6 Tunnels to Encapsulate IPv4....................11 6.3 M3: IPv6 NAT to Communicate with IPv4...................11 6.4 M4: IPv6 Native LANs....................................12 6.5 M5: IPv6 Native Routing Domains.........................12 6.6 M6: Dual Stack Nodes supporting IPv6 and IPv4...........12 7. Enterprise Network Infrastructure Points of Transition......13 7.1 DNS.....................................................13 7.2 Routing.................................................13 7.3 Autoconfiguration.......................................13 7.4 Security................................................13 7.5 Applications and APIs...................................14 7.6 IPv6 Address Scoping....................................14 7.7 Network Management......................................14 7.8 Address Planning........................................14 8. Enterprise Tools Requirements...............................15 8.1 Routing Configuration...................................15 8.2 DNS Configuration.......................................15 8.3 IPv6 Address Allocation and Configuration...............15 8.4 IPv4 Address Allocation and Configuration...............15 8.5 VPN/Tunnel Configuration................................15 8.6 Mobile Node IPv4/IPv6 Interoperation Configuration......15 9. Enterprise Network Scenarios in Depth.......................16 10. Enteprise Network Scenarios Matrix Graph...................16 11. Applicability Statement....................................16 12. Security Section...........................................16 Acknowledgments................................................16 References.....................................................16 Design Team' Addresses.........................................17 draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 3] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 1. Introduction IPv6 will be deployed in Enterprise networks. This scenario has requirements for the adoption of IPv6. This document will focus upon and define: a set of technology scenarios that shall exist for the enterprise network, the set of transition variables, transition methods, and tools required by different scenarios. The document using these definitions will define the points of transition for an Enterprise network. The audience for this document is the enterprise network team considering deployment of IPv6. It is needed to clearly state the problem space so there is a common understanding of the need for transition tools in general. Specifically it is intended to show that the enterprise brings an important set of cases that the transition tools have to address. It will attempt to describe common environments and the issues that are important to a transition. To frame the discussion, it will focus on administrative policy rather than size, and break that down by services available within the enterprise. The business value and high level motivation for each technical approach will be touched on in terms of cost/benefit aspects. This value is expected to affect the order of deployment an enterprise will take, so the document will try to order approaches according to value. While it is difficult to quantify all the potential motivations for enterprise network teams to move to IPv6, there are some cases where an abstract description is possible. The primary case is the detrimental affect on the basic business processes caused by a lack of available IPv4 addresses. This may be through IPv4-NAT breaking applications or security technologies, or the simple inability to achieve a viable business model with current allocation policies. With a simpler end-to-end approach to accomplishing the business goal, IPv6 provides strong motivations to move. Another related motivator is avoiding the significant and frequently hidden burden on IT of continually balancing the available IPv4 address pool against the number of devices attached to a particular network of subnets. This is generally a problem with fast growing satellite offices, but also occurs as business priorities cause rapid reorganization. Using the autoconfiguration capabilities of IPv6, the effort aligns with the need for new independently routed segments, rather than the shifting number of devices that may be attached to any given network segment. A slightly different motivator is the case of the enterprise that develops products for other enterprises, where the consuming enterprise has an insufficient pool of IPv4 addresses. While on the surface this is another shortage motivator, the real business motivator is for the supplier to avoid having to build and continually update their product to work despite the presence of IPv4-NAT. The NAT-traversal problem requires both substantial resources to develop the work-around, as well as provide the additional infrastructure components. Each of these raise the cost to develop the product, therefore make it less competitive than a draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 4] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 comparable IPv6 based product. Another case to consider are new enterprise networks that want to begin their operations with IPv6 from day one. 2. Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 5] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 3. Terminology Enterprise Network - An Enterprise Network is a network that has multiple links, a router conection to a Provider, and is actively managed by a network operations entity. Provider - A Provider is an entity that provides services and connectivity to the Internet or other private external networks for the Enterprise Network. Edge - The Edge is the ingress and egress points connecting to the Internet, Extranet, or to another private external network. Administrative Domain - An Administrative Domain are the ingress and egress points connecting nodes across the Enterprise Network, behind the Edges. Extranet - An Extranet is any Enterprise Network owned network components at the Edge, but not part of the Administrative Domain. Border Router - An Enterprise Network Border Router is a a router that is configured at the Edges. Internal Router - An Enterprise Network Internal Router is a router that is not configured at an Edge, but within the Administrative Domain. Mobile - An Enterprise Network condition when a node changes its network location, or is not attached to the Administrative Domain. Mobile Node - An Enterprise Network Mobile Node is any node that is Mobile within or not within the enterprise, or as remote telecommuting node. Points of Transtion - An Enterprise Network Point of Transition is a general abstraction to note functions that must be defined for the transition to IPv6. Internet Network Provider - A Provider for connectivity and services to the public Internet. Private Network Provider - A Provider for connectivity and services to a private Internet. Dual Stack IPv4/IPv6 Node - A node that supports IPv4 and IPv6. IPv4 ONLY Node - A node that only supports IPv4. IPv6 ONLY Node - A node that only supports IPv6 draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 6] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 4. Enterprise Network Assumptions In this section assumptions about the enterprise network for this document are provided. Each network will need to select the method to best suit their business requirements. Any attempt to define a default or one- size-fits-all set of variables and methods for all scenarios would result in failure. Every node that can be addressed by another node must be in a registered name service, managing this name service is a significant scaling challenge for the Enterprise. Applications that support multiple users on multiple nodes (multi-Party) require globally consistent addresses for peer-to- peer communications. Bi-directional communication between two nodes across Service Provider networks is often used as a crude level of authenticity, having the IP addresses in the IP header be the same as from where the nodes data packet came from provides a rudimentary component of security. Enterprise Networks will vary in size and network complexity from a small office to a large manufacturing operation with multiple sites, across a wide geography Points of Transition will need to be defined for the following: - Routers - Non Router Nodes - Network Topology - Network Applications - Network Management and Tools - Network Security - Network Mobility - Network VPNs - Network Telecommuter Work Force - Network Inter Site Communications This document will identify those Points of Transition and discuss them within a set of scenarios. This document will not provide solutions. A set of suggested solutions will be provided in a follow on document to this work. Enterprise Networks will vary how they approach the transition to IPv6 depending on a set of transition variables (V1..VN): V1: IPv4 NAT and Firewall uses IPv4 private addresses. V2: IPv4 Firewall uses IPv4 global routable addresses. V3: Applications must be able to communicate between remote Administrative Domains. V4: The methods and security used to access the Administrative Domain for Telecommuters and Mobile Nodes. V5: IPv6 software upgrades are not available for existing routers and nodes. draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 7] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 V6: Source code for applications have been lost or cannot be upgraded to IPv6. V7: New business function being defined and can exist without extensive access to legacy IPv4 networks and nodes. V8: Mission critical applications must be able to interoperate with legacy IPv4 nodes. V9: Legacy IPv4 nodes can be upgraded to support dual stack IPv4 and IPv6. V10: Legacy IPv4 nodes cannot be upgraded to support dual stack IPv4 and IPv6. V11: What sections of the network for an existing network or new network will move towards IPv6 deployment first, second, ...., last, and at what rate. V12: What are the network security requirements for the Enterprise Network. V13: Provider does not support IPv6. The transition variables are the parameters to the first function to determine the functions for a scenario. Once the transition variables are understood then the next step is to select transition methods as follows (M1..MN): M1: IPv4 Tunnels to Encapsulate IPv6 M2: IPv6 Tunnels to Encapsulate IPv4 M3: IPv6 NAT to Communicate with IPv4 M4: IPv6 Native LANs M5: IPv6 Native Routing Domains M6: Dual Stack Nodes supporting IPv6 and IPv4 M7: IPv6 Tunnels to Encapsulate IPv6 This document will define a list of sets for transition variables, methods, and tool requirements, which will provide a three dimensional system for analysis that can be used to extrapolate a set of solutions. Where the X axis is the transition variables (V#), the Y axis the transition method (M#), and the Z axis the tools requirement set (section 8) to support X and Y conditions. This point on the graph will be an transtion strategy. After the document describes the scenarios in depth (section 9) the graph will be depicted in a matrix for readers of this document (section 10) draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 8] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 5. Enterprise Network Scenarios Overview It would be impossible for any one document to describe all the potential scenarios as networks deploy IPv6. Attempting to break the problem space down and cover the high level perspectives, this document will separate the scenarios by administrative scope and policy. Within each, the various ISP service offerings produce 15 cases to describe. Finally, we find there are 27 cases when the additional characteristic of host and application-first versus network-first approaches are considered. The 15 above is 5 cases x 3 offerings. The 27 comes from the doubling by discussing network vs. application first, minus the 3 offerings from set D because it has to be done all at once. Another way to describe the table is scenarios x offerings x order = (4 x 3 x 2) + (1 x 3 x 1). Without looking for a one-size-fits-all, to simplify the document we will assume a single motivating application. The multi-party peer-to- peer conferencing application they are deploying to improve productivity requires unambiguous addresses. The IPv6 enabled application needs to communicate with each party as a peer, while other applications on those systems still need access to IPv4 based services. Critical issues for each: Addressing : Dynamic vs. control w/administrative burden DNS : Dynamic vs. control w/administrative burden Public visibility of the name space. AAA : Internal & external Mobility of road warrior and telecommuters Applications: What applications are needed PMTUD : Support for discovery vs. traditional ICMP aversion Mobility : Requirements for nodes Management : Network and tools management Trust system between host & network management teams: Dual-stack vs. IPv6-only IPv6-only is a restricted capability subset Routing Architectural concept of tunneling over foo vs. native service Scenario set A: Single geographic region, single administration & policy ISP offering - IPv4-only IPv4 & IPv6 IPv6-only Deployment order - Hosts & Apps first Network first Scenario set B: Multiple geographic regions, single administration & policy ISP offering - IPv4-only IPv4 & IPv6 IPv6-only Deployment order - Hosts & Apps first Network first Scenario set C: draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 9] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 Multiple geographic regions, multiple administrations & policy ISP offering - IPv4-only IPv4 & IPv6 IPv6-only Deployment order - Hosts & Apps first Network first Scenario set D: New enterprise, looking to avoid a transition ISP offering - IPv4-only IPv4 & IPv6 IPv6-only Deployment order - All at once by definition Scenario set E: Enterprise Services for remote users ISP offering - IPv4-only IPv4 & IPv6 IPv6-only Deployment order - Hosts & Apps first Network first Scenario #1 An enterprise has an existing IPv4 network and is adding IPv6 between geographic sites. Set A and B. Scenario #2 An enterprise deploys wireless services where groups of access points end up on different subnets. Set A and B. Scenario #3 A multi-site enterprise has deployed IPv4-NAT with overlapping private address ranges between the sites. Set A and B. Scenario #4 A global enterprise interacts with a public and private Internet as a cohesive unit, but is composed of several administratively distinct business units. Set C. Scenario #5 Two large enterprises using IPv4-NAT merge with the consequence that large segments of private network address space overlap. Set C. Scenario #6 A new Enterprise providing location based services for over a wide geography enables mobile devices for their Account Teams to access network data and services. Set D. Scenario #6 (subset of all scenarios) Enterprise employees telecommute to work from home, or during business travel. Set E. draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 10] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 6. Enterprise Points of Transition Methods The Enterprise network will have varying points of transition that will require different points of interoperability with IPv6 and IPv4. These points of transition are the fulcrum of the template to define what is required for Enterprise networks within the focus of this document. 6.1 M1: IPv4 Tunnels to Encapsulate IPv6 This Point of Transition exists for the following conditions: 1. Two Dual Stacked IPv4/IPv6 nodes want to communicate using IPv6, but an IPv4 Internal Router is between them. These nodes could also be Mobile nodes too and in a remote location. 2. Two Dual Stacked IPv4/IPv6 nodes want to communicate using IPv6, but they are in a remote Administrative Domain and geography, and packets must be sent to a Provider. These nodes could also be Mobile nodes and in a remote location. 3. Two Mobile Dual Stacked IPv4/IPv6 nodes want to communicate using IPv6, and both are on remote IPv4 network. 4. Two Mobile Dual Stacked IPv4/IPv6 nodes want to communicate using IPv6, and both are on remote IPv6 network. It is important to realize in this scenario the transit providers could be IPv4-ONLY. 6.2 M2: IPv6 Tunnels to Encapsulate IPv4 This Point of Transition exists for the following conditions: 1. A Dual Stacked IPv4/IPv6 node wants to communicate to a legacy IPv4 service and is on a Native IPv6 link and Routing Domain. Enterpise policy is that IPv6 should be used to encapsulate IPv4. 2. A Dual Stacked IPv4/IPv6 node wants to communicate to a legcy IPv4 service and is on a Native IPv6 link and Routing Domain. Enterprise policy is IPv4 should be used for this communications. 3. Same conditions above but for Mobile node. 6.3 M3: IPv6 NAT to Communicate with IPv4 This Point of Transition exists for the following conditions: 1. A Dual Stacked IPv4/IPv6 node wants to communicate with a legacy IPv4 ONLY service or node. Enterprise policy is that IPv6 NAT should be used for this communications. 2. An IPv6 ONLY node wants to communicate with a legacy IPv4 ONLY node or service. Same policy as above. 3. Same conditions above but for Mobile IPv6 ONLY node. Using NAT for this point of transition will preclude end-2-end draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 11] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 security, applications, and remove some benefits from the IPv6 protocol. 1. The Design Team highly recommends that network not adopt the policy in reference "1" above. 2. IPv6 ONLY nodes should not be deployed in a network until they will not require access to any legacy IPv4. This means that applications and infrastructure has been ported or moved to IPv6. Until that time nodes for transition should be Dual Stacked IPv4/IPv6 nodes. This means networks that want to use IPv6 ONLY nodes will be required to move applications and infrastructure to IPv6 first. 6.4 M4: IPv6 Native LANs This Point of Transtion exists when the policy wants to support the deployment of Native IPv6 LANs. This condition will be driven by the transition variables V1-V14 stated in Section 4. 6.5 M5: IPv6 Native Routing Domains This Point of Transition exists when the policy is to deploy IPv6 Native Routing Domains. This condition will be driven by the variables V1-14 stated in Section 4. 6.6 M6: Dual Stack Nodes supporting IPv6 and IPv4 This Point of Transition is a method to deploy IPv6 and a method for transition. A network that deploys Dual Stacked IPv4/IPv6 nodes as they adopt IPv6 are more assured that IPv6 and IPv4 interoperation will be possible between the two nodes or services. It also means for many legacy IPv4 nodes that they can be upgraded to support IPv4 and IPv6, but not turn on IPv6 until the IPv6 operational network has been verified to be interoperable and secure. It also means that both IPv4 and IPv6 can be supported by the nodes that transition to IPv6 and then will be able to communicate with IPv4 nodes using an IPv4 network infrastructure. draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 12] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 7. Enterprise Network Infrastructure Points of Transition The Enterprise will be required to determine what network infrastructure will be affected by transtion to IPv6. This infrastructure must be analyzed and understood as a critical resource to manage. Each topic below in this section will be discussed and the issues facing transition for these network infrastructure parts will be discussed. 7.1 DNS This will be discussed in a future draft. 7.2 Routing This will be discussed in a future draft. 7.3 Autoconfiguration IPv6 introduces the concept of autoconfiguration [RFC2462]. Autoconfiguration removes the need for DHCP to dynamically assign addresses to nodes. Though DHCPv6 can be used to administrate addresses that are assigned to nodes. When preforming stateless autoconfiguration, an EUI-64 is generated by the IPv6 node, on a per-interface basis, to form the entire 128 bit IPV6 address. The EUI-64 is derived from the MAC address of the interface that being autoconfigured. This mechanism proves a large amount of flexibility when joining new nodes to an IPv6 network. Since the address is tied to the MAC address of a given interface, swapping said interface device would change the address of the node. This presents a problem for nodes, such as servers and routers, that require a stable IP address. It is suggested that nodes which require such stability, in their IP address, make use of either stateful autoconfiguration or fixed interface-id autoconfiguration. The later involves using a fixed 64 bit token, instead of the EUI-64. Determining the value of this token should be considered when establishing an address plan." 7.4 Security This will be discussed in a future draft. draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 13] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 7.5 Applications and APIs This will be discussed in a future draft. 7.6 IPv6 Address Scoping This will be discussed in a future draft. 7.7 Network Management This will be discussed in a future draft. 7.8 Address Planning This will be discussed in a future draft. draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 14] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 8. Enterprise Tools Requirements This section will identify the tools requirements for an EN transitioning to IPv6 so the configuration issues for the EN are documented for the document. 8.1 Routing Configuration This will be discussed in a future draft. 8.2 DNS Configuration This will be discussed in a future draft. 8.3 IPv6 Address Allocation and Configuration This will be discussed in a future draft. 8.4 IPv4 Address Allocation and Configuration This will be discussed in a future draft. 8.5 VPN/Tunnel Configuration This will be discussed in a future draft. 8.6 Mobile Node IPv4/IPv6 Interoperation Configuration This will be discussed in a future draft. draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 15] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 9. Enterprise Network Scenarios in Depth This section will discuss the Scenarios in depth and identify the transition methods options and tools requirements from previous sections. This will be done in a future draft. 10. Enteprise Network Scenarios Matrix Graph This section will provide a set of matrices from the scenarios, transition variables, methods, and tools to define and determine common points of transition across the Scenarios. This will be done in future draft. 11. Applicability Statement This will be done in a future draft as we get more working group discussion. 12. Security Section The first iteration of this section will be done in a future draft. Acknowledgments Enterprise Network Scenarios Design Team: Yanick Pouffary (Chair) - Hewlett Packard Jim Bound (Editor) - Hewlett Packard Yurie Rich - Native6 Group Marc Blanchet - Hexago Tony Hain - Cisco Paul Gilbert - Cisco Scott Hahn - Intel Margaret Wasserman - Windriver Jason Goldschmidt - Sun Microsystems Mathew Lehman - Microsoft Aldrin Isaac - Bloomberg The Design Team would also like to acknowledge the input from the following: IETF V6OPS Working Group, Tim Chown, Alain Durand, and Bob Hinden. References These will be provided as the drafts mature and we reference related work in the IETF and in the Industry. draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 16] INTERNET-DRAFT draft-ietf-v6ops-entnet-scenarios-00.txt February 2003 Design Team' Addresses Send email to ent-v6net@viagenie.qc.ca to contact the design team and send comments on the draft to v6ops@ops.ietf.org. Authors contact info will be provided in a future draft. draft-ietf-v6ops-entnet-scenarios-00.txt Expires July 2003 [Page 17]