idnits 2.17.1 

draft-ietf-v6ops-enterprise-incremental-ipv6-03.txt:

  Checking boilerplate required by RFC 5378 and the IETF Trust (see
  https://trustee.ietf.org/license-info):
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
  ----------------------------------------------------------------------------

     No issues found here.

  Checking nits according to https://www.ietf.org/id-info/checklist :
  ----------------------------------------------------------------------------

     No issues found here.

  Miscellaneous warnings:
  ----------------------------------------------------------------------------

  == The copyright year in the IETF Trust and authors Copyright Line does not
     match the current year

  -- The document date (July 14, 2013) is 3938 days in the past.  Is this
     intentional?


  Checking references for intended status: Informational
  ----------------------------------------------------------------------------

  -- Obsolete informational reference (is this intentional?): RFC 2011
     (Obsoleted by RFC 4293)

  -- Obsolete informational reference (is this intentional?): RFC 2096
     (Obsoleted by RFC 4292)

  -- Obsolete informational reference (is this intentional?): RFC 3315
     (Obsoleted by RFC 8415)

  -- Obsolete informational reference (is this intentional?): RFC 4941
     (Obsoleted by RFC 8981)

  -- Obsolete informational reference (is this intentional?): RFC 5102
     (Obsoleted by RFC 7012)

  -- Obsolete informational reference (is this intentional?): RFC 5157
     (Obsoleted by RFC 7707)

  -- Obsolete informational reference (is this intentional?): RFC 6106
     (Obsoleted by RFC 8106)

  -- Obsolete informational reference (is this intentional?): RFC 6145
     (Obsoleted by RFC 7915)

  -- Obsolete informational reference (is this intentional?): RFC 6434
     (Obsoleted by RFC 8504)

  -- Obsolete informational reference (is this intentional?): RFC 6555
     (Obsoleted by RFC 8305)

  == Outdated reference: A later version (-08) exists of
     draft-xli-behave-divi-05

  == Outdated reference: A later version (-05) exists of
     draft-wierenga-ietf-eduroam-00

  == Outdated reference: A later version (-05) exists of
     draft-lopez-v6ops-dc-ipv6-04

  == Outdated reference: A later version (-12) exists of
     draft-ietf-v6ops-design-choices-00

  == Outdated reference: A later version (-27) exists of
     draft-ietf-opsec-v6-02

  == Outdated reference: A later version (-08) exists of
     draft-ietf-opsec-ipv6-host-scanning-01

  == Outdated reference: A later version (-07) exists of
     draft-ietf-opsec-ipv6-implications-on-ipv4-nets-05

  -- No information found for draft-liu-bonica-dhcpv6 - is the name correct?

  == Outdated reference: A later version (-05) exists of
     draft-ietf-v6ops-ula-usage-recommendations-00


     Summary: 0 errors (**), 0 flaws (~~), 9 warnings (==), 12 comments (--).

     Run idnits with the --verbose option for more detailed information about
     the items above.
--------------------------------------------------------------------------------


2	Network Working Group                                    K. Chittimaneni
3	Internet-Draft                                               Google Inc.
4	Intended status: Informational                                  T. Chown
5	Expires: January 15, 2014                      University of Southampton
6	                                                               L. Howard
7	                                                       Time Warner Cable
8	                                                            V. Kuarsingh
9	                                                   Rogers Communications
10	                                                             Y. Pouffary
11	                                                         Hewlett Packard
12	                                                               E. Vyncke
13	                                                           Cisco Systems
14	                                                           July 14, 2013

16	                 Enterprise IPv6 Deployment Guidelines
17	            draft-ietf-v6ops-enterprise-incremental-ipv6-03

19	Abstract

21	   Enterprise network administrators worldwide are in various stages of
22	   preparing for or deploying IPv6 into their networks.  The
23	   administrators face different challenges than operators of Internet
24	   access providers, and have reasons for different priorities.  The
25	   overall problem for many administrators will be to offer Internet-
26	   facing services over IPv6, while continuing to support IPv4, and
27	   while introducing IPv6 access within the enterprise IT network.  The
28	   overall transition will take most networks from an IPv4-only
29	   environment to a dual stack network environment and potentially an
30	   IPv6-only operating mode.  This document helps provide a framework
31	   for enterprise network architects or administrators who may be faced
32	   with many of these challenges as they consider their IPv6 support
33	   strategies.

35	Status of This Memo

37	   This Internet-Draft is submitted in full conformance with the
38	   provisions of BCP 78 and BCP 79.

40	   Internet-Drafts are working documents of the Internet Engineering
41	   Task Force (IETF).  Note that other groups may also distribute
42	   working documents as Internet-Drafts.  The list of current Internet-
43	   Drafts is at http://datatracker.ietf.org/drafts/current/.

45	   Internet-Drafts are draft documents valid for a maximum of six months
46	   and may be updated, replaced, or obsoleted by other documents at any
47	   time.  It is inappropriate to use Internet-Drafts as reference
48	   material or to cite them other than as "work in progress."
49	   This Internet-Draft will expire on January 15, 2014.

51	Copyright Notice

53	   Copyright (c) 2013 IETF Trust and the persons identified as the
54	   document authors.  All rights reserved.

56	   This document is subject to BCP 78 and the IETF Trust's Legal
57	   Provisions Relating to IETF Documents
58	   (http://trustee.ietf.org/license-info) in effect on the date of
59	   publication of this document.  Please review these documents
60	   carefully, as they describe your rights and restrictions with respect
61	   to this document.  Code Components extracted from this document must
62	   include Simplified BSD License text as described in Section 4.e of
63	   the Trust Legal Provisions and are provided without warranty as
64	   described in the Simplified BSD License.

66	Table of Contents

68	   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
69	     1.1.  Enterprise Assumptions  . . . . . . . . . . . . . . . . .   4
70	     1.2.  IPv4-only Considerations  . . . . . . . . . . . . . . . .   4
71	     1.3.  Reasons for a Phased Approach . . . . . . . . . . . . . .   4
72	   2.  Preparation and Assessment Phase  . . . . . . . . . . . . . .   6
73	     2.1.  Program Planning  . . . . . . . . . . . . . . . . . . . .   6
74	     2.2.  Inventory Phase . . . . . . . . . . . . . . . . . . . . .   8
75	       2.2.1.  Network infrastructure readiness assessment . . . . .   8
76	       2.2.2.  Applications readiness assessment . . . . . . . . . .   8
77	       2.2.3.  Importance of readiness validation and testing  . . .   9
78	     2.3.  Training  . . . . . . . . . . . . . . . . . . . . . . . .   9
79	     2.4.  Security Policy . . . . . . . . . . . . . . . . . . . . .   9
80	       2.4.1.  IPv6 is no more secure than IPv4  . . . . . . . . . .   9
81	       2.4.2.  Similarities between IPv6 and IPv4 security . . . . .  10
82	       2.4.3.  Specific Security Issues for IPv6 . . . . . . . . . .  11
83	     2.5.  Routing . . . . . . . . . . . . . . . . . . . . . . . . .  13
84	     2.6.  Address Plan  . . . . . . . . . . . . . . . . . . . . . .  13
85	     2.7.  Tools Assessment  . . . . . . . . . . . . . . . . . . . .  15
86	   3.  External Phase  . . . . . . . . . . . . . . . . . . . . . . .  17
87	     3.1.  Connectivity  . . . . . . . . . . . . . . . . . . . . . .  17
88	     3.2.  Security  . . . . . . . . . . . . . . . . . . . . . . . .  18
89	     3.3.  Monitoring  . . . . . . . . . . . . . . . . . . . . . . .  19
90	     3.4.  Servers and Applications  . . . . . . . . . . . . . . . .  19
91	     3.5.  Network Prefix Translation for IPv6 . . . . . . . . . . .  20
92	   4.  Internal Phase  . . . . . . . . . . . . . . . . . . . . . . .  20
93	     4.1.  Security  . . . . . . . . . . . . . . . . . . . . . . . .  21
94	     4.2.  Network Infrastructure  . . . . . . . . . . . . . . . . .  21
95	     4.3.  End user devices  . . . . . . . . . . . . . . . . . . . .  23
96	     4.4.  Corporate Systems . . . . . . . . . . . . . . . . . . . .  24

98	   5.  IPv6-only . . . . . . . . . . . . . . . . . . . . . . . . . .  24
99	   6.  Considerations For Specific Enterprises . . . . . . . . . . .  25
100	     6.1.  Content Delivery Networks . . . . . . . . . . . . . . . .  25
101	     6.2.  Data Center Virtualization  . . . . . . . . . . . . . . .  26
102	     6.3.  University Campus Networks  . . . . . . . . . . . . . . .  26
103	   7.  Security Considerations . . . . . . . . . . . . . . . . . . .  27
104	   8.  Acknowledgements  . . . . . . . . . . . . . . . . . . . . . .  27
105	   9.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .  27
106	   10. Informative References  . . . . . . . . . . . . . . . . . . .  27
107	   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .  33

109	1.  Introduction

111	   An Enterprise Network is defined in [RFC4057] as a network that has
112	   multiple internal links, one or more router connections to one or
113	   more Providers, and is actively managed by a network operations
114	   entity (the "administrator", whether a single person or department of
115	   administrators).  Administrators generally support an internal
116	   network, consisting of users' workstations, personal computers, other
117	   computing devices and related peripherals, a server network,
118	   consisting of accounting and business application servers, and an
119	   external network, consisting of Internet-accessible services such as
120	   web servers, email servers, VPN systems, and customer applications.
121	   This document is intended as guidance for network architects and
122	   administrators in planning their IPv6 deployments.

124	   The business reasons for spending time, effort, and money on IPv6
125	   will be unique to each enterprise.  The most common drivers are due
126	   to the fact that when Internet service providers, including mobile
127	   wireless carriers, run out of IPv4 addresses, they will provide
128	   native IPv6 and non-native IPv4.  The non-native IPv4 service may be
129	   NAT64, NAT444, Dual-stack Lite, or other transition technologies.
130	   Compared to tunneled or translated, native traffic typically performs
131	   better and more reliably than non-native.  For example, for client
132	   networks trying to reach enterprise networks, the IPv6 experience
133	   will be better than the transitional IPv4 if the enterprise deploys
134	   IPv6 in its public-facing services.  The native IPv6 network path
135	   should also be simpler to manage and, if necessary, troubleshoot.
136	   Further, enterprises doing business in growing parts of the world may
137	   find IPv6 growing faster there, where again potential new customers,
138	   employees and partners are using IPv6.  It is thus in the
139	   enterprise's interests to deploy native IPv6, at the very least in
140	   its public-facing services, but ultimately across the majority or all
141	   of its scope.

143	   The text in this document provides specific guidance for enterprise
144	   networks, and complements other related work in the IETF, including
145	   [I-D.ietf-v6ops-design-choices] and [RFC5375].

147	1.1.  Enterprise Assumptions

149	   For the purpose of this document, we assume:

151	   o  The administrator is considering deploying IPv6 (but see
152	      Section 1.2 below).

154	   o  The administrator has existing IPv4 networks and devices which
155	      will continue to operate and be supported.

157	   o  The administrator will want to minimize the level of disruption to
158	      the users and services by minimizing number of technologies and
159	      functions that are needed to mediate any given application.  In
160	      other words, provide native IP wherever possible.

162	   Based on these assumptions, an administrator will want to use
163	   technologies which minimize the number of flows being tunnelled,
164	   translated or intercepted at any given time.  The administrator will
165	   choose transition technologies or strategies which allow most traffic
166	   to be native, and will manage non-native traffic.  This will allow
167	   the administrator to minimize the cost of IPv6 transition
168	   technologies, by containing the number and scale of transition
169	   systems.

171	1.2.  IPv4-only Considerations

173	   As described in [RFC6302] administrators should take certain steps
174	   even if they are not considering IPv6.  Specifically, Internet-facing
175	   servers should log the source port number, timestamp (from a reliable
176	   source), and the transport protocol.  This will allow investigation
177	   of malefactors behind address-sharing technologies such as NAT444 or
178	   Dual-stack Lite.

180	   Other IPv6 considerations may impact ostensibly IPv4-only networks,
181	   e.g. [RFC6104] describes the rogue IPv6 RA problem, which may cause
182	   problems in IPv4-only networks where IPv6 is enabled in end systems
183	   on that network.  Further discussion of the security implications of
184	   IPv6 in IPv4-only networks can be found in
185	   [I-D.ietf-opsec-ipv6-implications-on-ipv4-nets]).

187	1.3.  Reasons for a Phased Approach

189	   Given the challenges of transitioning user workstations, corporate
190	   systems, and Internet-facing servers, a phased approach allows
191	   incremental deployment of IPv6, based on the administrator's own
192	   determination of priorities.  The Preparation Phase is highly
193	   recommended to all administrators, as it will save errors and
194	   complexity in later phases.  Each administrator must decide whether
195	   to begin with the External Phase (as recommended in [RFC5211]) or the
196	   Internal Phase.  There is no "correct" answer here; the decision is
197	   one for each enterprise to make.

199	   Each scenario is likely to be different to some extent, but we can
200	   highlight some considerations:

202	   o  In many cases, customers outside the network will have IPv6 before
203	      the internal enterprise network.  For these customers, IPv6 may
204	      well perform better, especially for certain applications, than
205	      translated or tunneled IPv4, so the administrator may want to
206	      prioritize the External Phase such that those customers have the
207	      simplest and most robust connectivity to the enterprise, or at
208	      least its external-facing elements.

210	   o  Employees who access internal systems by VPN may find that their
211	      ISPs provide translated IPv4, which does not support the required
212	      VPN protocols.  In these cases, the administrator may want to
213	      prioritize the External Phase, and any other remotely-accessible
214	      internal systems.  It is worth noting that a number of emerging
215	      VPN solutions provide dual-stack connectivity; thus a VPN service
216	      may be useful for employees in IPv4-only access networks to access
217	      IPv6 resources in the enterprise network (much like many public
218	      tunnel broker services, but specifically for the enterprise).

220	   o  Internet-facing servers cannot be managed over IPv6 unless the
221	      management systems are IPv6-capable.  These might be Network
222	      Management Systems (NMS), monitoring systems, or just remote
223	      management desktops.  Thus in some cases, the Internet-facing
224	      systems are dependent on IPv6-capable internal networks.  However,
225	      dual-stack Internet-facing systems can still be managed over IPv4.

227	   o  Virtual machines may enable a faster rollout once initial system
228	      deployment is complete.  Management of VMs over IPv6 is still
229	      dependent on the management software supporting IPv6.

231	   o  IPv6 is enabled by default on all modern operating systems, so it
232	      may be more urgent to manage and have visibility on the internal
233	      traffic.  It is important to manage IPv6 for security purposes,
234	      even in an ostensibly IPv4-only network, as described in
235	      [I-D.ietf-opsec-ipv6-implications-on-ipv4-nets].

237	   o  In many cases, the corporate accounting, payroll, human resource,
238	      and other internal systems may only need to be reachable from the
239	      internal network, so they may be a lower priority.  As enterprises
240	      require their vendors to support IPv6, more internal applications
241	      will support IPv6 by default and it can be expected that
242	      eventually new applications will only support IPv6.  The
243	      inventory, as described in Section 2.2, will help determine the
244	      systems' readiness, as well as the readiness of the supporting
245	      network elements and security, which will be a consideration in
246	      prioritization of these corporate systems.

248	   o  Some large organizations (even when using private IPv4
249	      addresses[RFC1918]) are facing IPv4 address exhaustion because of
250	      the internal network growth (for example the vast number of
251	      virtual machines) or because of the acquisition of other companies
252	      that often raise private IPv4 address overlapping issues.

254	   o  IPv6 restores end to end transparency even for internal
255	      applications (of course security policies must still be enforced).
256	      When two organizations or networks merge
257	      [I-D.ietf-6renum-enterprise], the unique addressing of IPv6 can
258	      make the merger much easier and faster.  A merger may, therefore,
259	      prioritize IPv6 for the affected systems.

261	   These considerations are in conflict; each administrator must
262	   prioritize according to their company's conditions.  It is worth
263	   noting that the reasons given in one "Large Corporate User's View of
264	   IPng", described in [RFC1687], for reluctance to deploy have largely
265	   been satisfied or overcome in the intervening 18 years.

267	2.  Preparation and Assessment Phase

269	2.1.  Program Planning

271	   As with any project, an IPv6 deployment project will have its own
272	   phases.  Generally, one person is identified as the project sponsor
273	   or champion, who will make sure time, people and other resources are
274	   committed appropriately for the project.  Because enabling IPv6 can
275	   be a project with many interrelated tasks, identifying a project
276	   manager is also recommended.  The project manager and sponsor can
277	   initiate the project, determining the scope of work, the
278	   corresponding milestones and deliverables, and identifying whose
279	   input is required, and who will be affected by work.  The scope will
280	   generally include the Preparation Phase, and may include the Internal
281	   Phase, the External Phase, or both, and may include any or all of the
282	   Other Phases identified.  It may be necessary to complete the
283	   Preparation Phase before determining which of the other phases will
284	   be prioritized, since needs and readiness assessments are part of
285	   that phase.

287	   The project manager will need to spend some time on planning.  It is
288	   often useful for the sponsor to communicate with stakeholders at this
289	   time, to explain why IPv6 is important to the enterprise.  Then, as
290	   the project manager is assessing what systems and elements will be
291	   affected, the stakeholders will understand why it is important for
292	   them to support the effort.  Well-informed project participants can
293	   help significantly by explaining the relationships between
294	   components.  For a large enterprise, it may take several iterations
295	   to really understand the level of effort required; some systems will
296	   require additional development, some might require software updates,
297	   and others might need new versions or alternative products from other
298	   vendors.  Once the projects are understood, the project manager can
299	   develop a schedule and a budget, and work with the project sponsor to
300	   determine what constraints can be adjusted, if necessary.

302	   It is tempting to roll IPv6 projects into other architectural
303	   upgrades - this can be an excellent way to improve the network and
304	   reduce costs.  Project participants are advised that by increasing
305	   the scope of projects, the schedule is often affected.  For instance,
306	   a major systems upgrade may take a year to complete, where just
307	   patching existing systems may take only a few months.  Understanding
308	   and evaluating these trade-offs are why a project manager is
309	   important.

311	   The deployment of IPv6 will not generally stop all other technology
312	   work.  Once IPv6 has been identified as an important initiative, all
313	   projects will need to evaluate their ability to support IPv6.  If
314	   expansions or new deployments fail to include IPv6, then additional
315	   work will be required after all initial IPv6 has been completed.  It
316	   may not be possible to delay regular projects for IPv6, if their IPv6
317	   support is dependent on network elements that have not yet been
318	   upgraded, but the projects need to include a return to IPv6 support
319	   in their eventual timeline.

321	   It is very common for assessments to continue in some areas even as
322	   execution of the project begins in other areas.  This is fine, as
323	   long as recommendations in other parts of this document are
324	   considered, especially regarding security (for instance, one should
325	   not deploy IPv6 on a system before security has been evaluated).  The
326	   project manager will need to continue monitoring the progress of
327	   discrete projects and tasks, to be aware of changes in schedule,
328	   budget, or scope.  "Feature creep" is common, where engineers or
329	   management wish to add other features while IPv6 development or
330	   deployment is ongoing; each feature will need to be individually
331	   evaluated for its effect on the schedule and budget, and whether
332	   expanding the scope increases risk to any other part of the project.

334	   As projects are completed, the project manager will confirm that work
335	   has been completed, often by means of seeing a completed test plan,
336	   and will report back to the project sponsor on completed parts of the
337	   project.  A good project manager will remember to thank the people
338	   who executed the project.

340	2.2.  Inventory Phase

342	   To comprehend the scope of the inventory phase we recommend dividing
343	   the problem space in two: network infrastructure readiness and
344	   applications readiness.

346	2.2.1.  Network infrastructure readiness assessment

348	   The goal of this assessment is to identify the level of IPv6
349	   readiness of network equipment.  This is an important step as it will
350	   help identify the effort required to move to an infrastructure that
351	   supports IPv6 with the same functional service capabilities as the
352	   existing IPv4 network.  This may also require a feature comparison
353	   and gap analysis between IPv4 and IPv6 functionality on the network
354	   equipment and software.

356	   Be able to understand which network devices are already capable,
357	   which devices can be made IPv6 ready with a code/firmware upgrade,
358	   and which devices will need to be replaced.  The data collection
359	   consists of a network discovery to gain an understanding of the
360	   topology and inventory network infrastructure equipment and code
361	   versions with information gathered from static files and IP address
362	   management, DNS and DHCP tools.

364	   Since IPv6 might already be present in the environment, through
365	   default configurations or VPNs, an infrastructure assessment (at
366	   minimum) is essential to evaluate potential security risks.

368	2.2.2.  Applications readiness assessment

370	   Just like network equipment, application software needs to support
371	   IPv6.  This includes OS, firmware, middleware and applications
372	   (including internally developed applications).  Vendors will
373	   typically handle IPv6 enablement of off-the-shelf products, but often
374	   enterprises need to request this support from vendors.  For
375	   internally developed applications it is the responsibility of the
376	   enterprise to enable them for IPv6.  Analyzing how a given
377	   application communicates over the network will dictate the steps
378	   required to support IPv6.  Applications should be made to use APIs
379	   which hide the specifics of a given IP address family.  Any
380	   applications that use APIs, such as the C language, which exposes the
381	   IP version specificity, need to be modified to also work with IPv6.

383	   There are two ways to IPv6-enable applications.  The first approach
384	   is to have separate logic for IPv4 and IPv6, thus leaving the IPv4
385	   code path mainly untouched.  This approach causes the least
386	   disruption to the existing IPv4 logic flow, but introduces more
387	   complexity, since the application now has to deal with two logic
388	   loops with complex race conditions and error recovery mechanisms
389	   between these two logic loops.  The second approach is to create a
390	   combined IPv4/IPv6 logic, which ensures operation regardless of the
391	   IP version used on the network.  Knowing whether a given
392	   implementation will use IPv4 or IPv6 in a given deployment is a
393	   matter of some art; see Source Address Selection [RFC6724] and Happy
394	   Eyeballs [RFC6555].  It is generally recommend that the application
395	   developer use industry IPv6-porting tools to locate the code that
396	   needs to be updated.  Some discussion of IPv6 application porting
397	   issues can be found in [RFC4038].

399	2.2.3.  Importance of readiness validation and testing

401	   Lastly IPv6 introduces a completely new way of addressing endpoints,
402	   which can have ramifications at the network layer all the way up to
403	   the applications.  So to minimize disruption during the transition
404	   phase we recommend complete functionality, scalability and security
405	   testing to understand how IPv6 impacts the services and networking
406	   infrastructure.

408	2.3.  Training

410	   IPv6 planning and deployment in the enterprise does not only affect
411	   the network.  IPv6 adoption will be a multifaceted undertaking that
412	   will touch everyone in the organization unlike almost any other
413	   project.  While technology and process transformations are taking
414	   place, it is critical that personnel training takes place as well.
415	   Training will ensure that people and skill gaps are assessed
416	   proactively and managed accordingly.  We recommend that training
417	   needs be analyzed and defined in order to successfully inform, train,
418	   and prepare staff for the impacts of the system or process changes.
419	   Better knowledge of the requirements to deploy IPv6 may also help
420	   inform procurement processes.

422	2.4.  Security Policy

424	   It is obvious that IPv6 networks should be deployed in a secure way.
425	   The industry has learnt a lot about network security with IPv4, so,
426	   network operators should leverage this knowledge and expertise when
427	   deploying IPv6.  IPv6 is not so different than IPv4: it is a
428	   connectionless network protocol using the same lower layer service
429	   and delivering the same service to the upper layer.  Therefore, the
430	   security issues and mitigation techniques are mostly identical with
431	   same exceptions that are described further.

433	2.4.1.  IPv6 is no more secure than IPv4
434	   Some people believe that IPv6 is inherently more secure than IPv4
435	   because it is new.  Nothing can be more wrong.  Indeed, being a new
436	   protocol means that bugs in the implementations have yet to be
437	   discovered and fixed and that few people have the operational
438	   security expertise needed to operate securely an IPv6 network.  This
439	   lack of operational expertise is the biggest threat when deploying
440	   IPv6: the importance of training is to be stressed again.

442	   One security myth is that thanks to its huge address space, a network
443	   cannot be scanned by enumerating all IPv6 address in a /64 LAN hence
444	   a malevolent person cannot find a victim.  [RFC5157] describes some
445	   alternate techniques to find potential targets on a network, for
446	   example enumerating all DNS names in a zone.  Additional advice in
447	   this area is also given in [I-D.ietf-opsec-ipv6-host-scanning].

449	   Another security myth is that IPv6 is more secure because it mandates
450	   the use of IPsec everywhere.  While the original IPv6 specifications
451	   may have implied this, [RFC6434] clearly states that IPsec support is
452	   not mandatory.  Moreover, if all the intra-enterprise traffic is
453	   encrypted, then this renders a lot of the network security tools
454	   (IPS, firewall, ACL, IPFIX, etc) blind and pretty much useless.
455	   Therefore, IPsec should be used in IPv6 pretty much like in IPv4 (for
456	   example to establish a VPN overlay over a non-trusted network or
457	   reserved for some specific applications).

459	   The last security myth is that amplification attacks (such as
460	   [SMURF]) do not exist in IPv6 because there is no more broadcast.
461	   Alas, this is not true as ICMP error (in some cases) or information
462	   messages can be generated by routers and hosts when forwarding or
463	   receiving a multicast message (see Section 2.4 of [RFC4443]).
464	   Therefore, the generation and the forwarding rate of ICMPv6 messages
465	   must be limited as in IPv4.

467	   It should be noted that in a dual-stack network the security
468	   implementation for both IPv4 and IPv6 needs to be considered, in
469	   addition to security considerations related to the interaction of
470	   (and transition between) the two, while they coexist.

472	2.4.2.  Similarities between IPv6 and IPv4 security

474	   As mentioned earlier, IPv6 is quite similar to IPv4, therefore
475	   several attacks apply for both protocol families:

477	   o  Application layer attacks: such as cross-site scripting or SQL
478	      injection

480	   o  Rogue device: such as a rogue Wi-Fi Access Point
481	   o  Flooding and all traffic-based denial of services (including the
482	      use of control plane policing for IPv6 traffic see [RFC6192])

484	   o  Etc.

486	   A specific case of congruence is IPv6 Unique Local Addresses (ULAs)
487	   [RFC4193] and IPv4 private addressing [RFC1918], which do not provide
488	   any security by 'magic'.  In both cases, the edge router must apply
489	   strict filters to block those private addresses from entering and,
490	   just as importantly, leaving the network.  This filtering can be done
491	   by the enterprise or by the ISP, but the cautious administrator will
492	   prefer to do it in the enterprise.

494	   IPv6 addresses can be spoofed as easily as IPv4 addresses and there
495	   are packets with bogon IPv6 addresses (see [CYMRU]).  Anti-bogon
496	   filtering must be done in the data and routing planes.  It can be
497	   done by the enterprise or by the ISP, or both, but again the cautious
498	   administrator will prefer to do it in the enterprise.

500	2.4.3.  Specific Security Issues for IPv6

502	   Even if IPv6 is similar to IPv4, there are some differences that
503	   create some IPv6-only vulnerabilities or issues.  We give examples of
504	   such differences in this section.

506	   Privacy extension addresses [RFC4941] are usually used to protect
507	   individual privacy by periodically changing the interface identifier
508	   part of the IPv6 address to avoid tracking a host by its otherwise
509	   always identical and unique MAC-based EUI-64.  While this presents a
510	   real advantage on the Internet, moderated by the fact that the prefix
511	   part remains the same, it complicates the task of following an audit
512	   trail when a security officer or network operator wants to trace back
513	   a log entry to a host in their network, because when the tracing is
514	   done the searched IPv6 address could have disappeared from the
515	   network.  Therefore, the use of privacy extension addresses usually
516	   requires additional monitoring and logging of the binding of the IPv6
517	   address to a data-link layer address (see also the monitoring section
518	   of [I-D.ietf-opsec-v6]).  Some early enterprise deployments have
519	   taken the approach to use tools that harvest IP/MAC address mappings
520	   from switch and router devices to provide address accountability;
521	   this approach has been shown to work, though it can involve gathering
522	   significantly more address data than in equivalent IPv4 networks.  An
523	   alternative is to try to prevent the use of privacy extension
524	   addresses by enforcing the use of DHCPv6, such that hosts only get
525	   addresses assigned by a DHCPv6 server.  This can be done by
526	   configuring routers to set the M-bit in Router Advertisements,
527	   combined with all advertised prefixes being included without the
528	   A-bit set (to prevent the use of stateless auto-configuration).  This
529	   technique of course requires that all hosts support stateful DHCPv6.
530	   It is important to note that not all operating systems exhibit the
531	   same behavior when processing RAs with the M-Bit set.  The varying OS
532	   behavior is related to the lack of prescriptive definition around the
533	   A, M and O-bits within the ND protocol.
534	   [I-D.liu-bonica-dhcpv6-slaac-problem] provides a much more detailed
535	   analysis on the interaction of the M-Bit and DHCPv6.

537	   Extension headers complicate the task of stateless packet filters
538	   such as ACLs.  If ACLs are used to enforce a security policy, then
539	   the enterprise must verify whether its ACL (but also stateful
540	   firewalls) are able to process extension headers (this means
541	   understand them enough to parse them to find the upper layers
542	   payloads) and to block unwanted extension headers (e.g., to implement
543	   [RFC5095]).  This topic is discussed further in
544	   [I-D.carpenter-6man-ext-transmit].

546	   Fragmentation is different in IPv6 because it is done only by source
547	   host and never during a forwarding operation.  This means that ICMPv6
548	   packet-too-big messages must be allowed to pass through the network
549	   and not be filtered [RFC4890].  Fragments can also be used to evade
550	   some security mechanisms such as RA-guard [RFC6105].  See also
551	   [RFC5722], and [I-D.ietf-v6ops-ra-guard-implementation].

553	   One of the biggest differences between IPv4 and IPv6 is the
554	   introduction of the Neighbor Discovery Protocol [RFC4861], which
555	   includes a variety of important IPv6 protocol functions, including
556	   those provided in IPv4 by ARP [RFC0826].  NDP runs over ICMPv6 (which
557	   as stated above means that security policies must allow some ICMPv6
558	   messages to pass, as described in RFC 4890), but has the same lack of
559	   security as, for example, ARP, in that there is no inherent message
560	   authentication.  While Secure Neighbour Discovery (SeND) [RFC3971]
561	   and CGA [RFC3972] have been defined, they are not widely
562	   implemented).  The threat model for Router Advertisements within the
563	   NDP suite is similar to that of DHCPv4 (and DHCPv6), in that a rogue
564	   host could be either a rogue router or a rogue DHCP server.  An IPv4
565	   network can be made more secure with the help of DHCPv4 snooping in
566	   edge switches, and likewise RA snooping can improve IPv6 network
567	   security (in IPv4-only networks as well).  Thus enterprises using
568	   such techniques for IPv4 should use the equivalent techniques for
569	   IPv6, including RA-guard (RFC 6105) and all work in progress from the
570	   SAVI WG, e.g. [I-D.ietf-savi-threat-scope], which is similar to the
571	   protection given by dynamic ARP monitoring in IPv4.  Other DoS
572	   vulnerabilities are related to NDP cache exhaustion, and mitigation
573	   techniques can be found in ([RFC6583]).

575	   As stated previously, running a dual-stack network doubles the attack
576	   exposure as a malevolent person has now two attack vectors: IPv4 and
577	   IPv6.  This simply means that all routers and hosts operating in a
578	   dual-stack environment with both protocol families enabled (even if
579	   by default) must have a congruent security policy for both protocol
580	   versions.  For example, permit TCP ports 80 and 443 to all web
581	   servers and deny all other ports to the same servers must be
582	   implemented both for IPv4 and IPv6.  It is thus important that the
583	   tools available to administrators readily support such behaviour.

585	2.5.  Routing

587	   An important design choice to be made is what IGP to use inside the
588	   network.  A variety of IGPs (IS-IS, OSPFv3 and RIPng) support IPv6
589	   today and picking one over the other is a design choice that will be
590	   dictated mostly by existing operational policies in an enterprise
591	   network.  As mentioned earlier, it would be beneficial to maintain
592	   operational parity between IPv4 and IPv6 and therefore it might make
593	   sense to continue using the same protocol family that is being used
594	   for IPv4.  For example, in a network using OSPFv2 for IPv4, it might
595	   make sense to use OSPFv3 for IPv6.  It is important to note that
596	   although OSPFv3 is similar to OSPFv2, they are not the same.  On the
597	   other hand, some organizations may chose to run different routing
598	   protocols for different IP versions.  For example, one may chose to
599	   run OSPFv2 for IPv4 and IS-IS for IPv6.  An important design question
600	   to consider here is whether to support one IGP or two different IGPs
601	   in the longer term.  [I-D.ietf-v6ops-design-choices] presents advice
602	   on the design choices that arise when considering IGPs and discusses
603	   the advantages and disadvantages to different approaches in detail.

605	2.6.  Address Plan

607	   The most common problem encountered in IPv6 networking is in applying
608	   the same principles of conservation that are so important in IPv4.
609	   IPv6 addresses do not need to be assigned conservatively.  In fact, a
610	   single larger allocation is considered more conservative than
611	   multiple non-contiguous small blocks, because a single block occupies
612	   only a single entry in a routing table.  The advice in [RFC5375] is
613	   still sound, and is recommended to the reader.  If considering ULAs,
614	   give careful thought to how well it is supported, especially in
615	   multiple address and multicast scenarios, and assess the strength of
616	   the requirement for ULA.  If using ULAs in a ULA-only deployment
617	   model, instead of using them in conjunction with Globally Unique
618	   Addressing for hosts, note that Network Prefix Translation will be
619	   required [RFC6296] for Internet based communication; the implications
620	   of which must be well understood before deploying.
621	   [I-D.ietf-v6ops-ula-usage-recommendations] provides much more
622	   detailed analysis and recommendations on the usage of ULAs.

624	   The enterprise administrator will want to evaluate whether the
625	   enterprise will request address space from a LIR (Local Internet
626	   Registry, such as an ISP), a RIR (Regional Internet Registry, such as
627	   AfriNIC, APNIC, ARIN, LACNIC, or RIPE-NCC) or a NIR (National
628	   Internet Registry, operated in some countries).  The normal
629	   allocation is Provider Aggregatable (PA) address space from the
630	   enterprise's ISP, but use of PA space implies renumbering when
631	   changing provider.  Instead, an enterprise may request Provider
632	   Independent (PI) space; this may involve an additional fee, but the
633	   enterprise may then be better able to be multihomed using that
634	   prefix, and will avoid a renumbering process when changing ISPs
635	   (though it should be noted that renumbering caused by outgrowing the
636	   space, merger, or other internal reason would still not be avoided
637	   with PI space).

639	   The type of address selected (PI vs. PA) should be congruent with the
640	   routing needs of the enterprise.  The selection of address type will
641	   determine if an operator will need to apply new routing techniques
642	   and may limit future flexibility.  There is no right answer, but the
643	   needs of the external phase may affect what address type is selected.

645	   Each network location or site will need a prefix assignment.
646	   Depending on the type of site/location, various prefix sizes may be
647	   used.  In general, historical guidance suggests that each site should
648	   get at least a /48, as documented in RFC 5375 and [RFC6177].  In
649	   addition to allowing for simple planning, this can allow a site to
650	   use its prefix for local connectivity, should the need arise, and if
651	   the local ISP supports it.

653	   When assigning addresses to end systems, the enterprise may use
654	   manually-configured addresses (common on servers) or SLAAC or DHCPv6
655	   for client systems.  Early IPv6 enterprise deployments have used
656	   SLAAC, both for its simplicity but also due to the time DHCPv6 has
657	   taken to mature.  However, DHCPv6 is now very mature, and thus
658	   workstations managed by an enterprise may use stateful DHCPv6 for
659	   addressing on corporate LAN segments.  DHCPv6 allows for the
660	   additional configuration options often employed by enterprise
661	   administrators, and by using stateful DHCPv6, administrators
662	   correlating system logs know which system had which address at any
663	   given time.  Such an accountability model is familiar from IPv4
664	   management, though for DHCPv6 hosts are identified by DUID rather
665	   than MAC address.  For equivalent accountability with SLAAC (and
666	   potentially privacy addresses), a monitoring system that harvests IP/
667	   MAC mappings from switch and router equipment could be used.

669	   A common deployment consideration for any enterprise network is how
670	   to get host DNS records updated.  In a traditional IPv4 network, the
671	   two commonly used methods are to either have the host send DNS
672	   updates itself or have the DHCPv4 server update DNS records.  The
673	   former implies that there is sufficient trust between the hosts and
674	   the DNS server while the latter implies a slightly more controlled
675	   environment where only DHCP servers are trusted to make these
676	   updates.  If the enterprise uses the first model, then SLAAC is a
677	   perfectly valid option to assign addresses to end systems.  However,
678	   an enterprise network with a more controlled environment will need to
679	   disable SLAAC and force end hosts to use DHCPv6 only.

681	   In the data center or server room, assume a /64 per VLAN.  This
682	   applies even if each individual system is on a separate VLAN.  In a /
683	   48 assignment, typical for a site, there are then still 65,535 /64
684	   blocks.  Addresses are either configured manually on the server, or
685	   reserved on a DHCPv6 server, which may also synchronize forward and
686	   reverse DNS.  Because of the need to synchronize RA timers and DNS
687	   TTLs, SLAAC is rarely, if ever, used for servers, and would require
688	   tightly coupled dynamic DNS updates.
689	   [I-D.ietf-6renum-static-problem]

691	   All user access networks should be a /64.  Point-to-point links where
692	   Neighbor Discovery Protocol is not used may also utilize a /127 (see
693	   [RFC6164]).

695	   Plan to aggregate at every layer of network hierarchy.  There is no
696	   need for VLSM [RFC1817] in IPv6, and addressing plans based on
697	   conservation of addresses are short-sighted.  Use of prefixes longer
698	   then /64 on network segments will break common IPv6 functions such as
699	   SLAAC[RFC4862].  Where multiple VLANs or other layer two domains
700	   converge, allow some room for expansion.  Renumbering due to
701	   outgrowing the network plan is a nuisance, so allow room within it.
702	   Generally, plan to grow to about twice the current size that can be
703	   accommodated; where rapid growth is planned, allow for twice that
704	   growth.  Also, if DNS (or reverse DNS) authority may be delegated to
705	   others in the enterprise, assignments need to be on nibble boundaries
706	   (that is, on a multiple of 4 bits, such as /64, /60, /56, ..., /48, /
707	   44), to ensure that delegated zones align with assigned prefixes.

709	2.7.  Tools Assessment

711	   Enterprises will often have a number of operational tools and support
712	   systems which are used to provision, monitor, manage and diagnose the
713	   network and systems within their environment.  These tools and
714	   systems will need to be assessed for compatibility with IPv6.  The
715	   compatibility may be related to the addressing and connectivity of
716	   various devices as well as IPv6 awareness the tools and processing
717	   logic.

719	   The tools within the organization fall into two general categories,
720	   those which focus on managing the network, and those which are
721	   focused on managing systems and applications on the network.  In
722	   either instance, the tools will run on platforms which may or may not
723	   be capable of operating in an IPv6 network.  This lack in
724	   functionality may be related to Operating System version, or based on
725	   some hardware constraint.  Those systems which are found to be
726	   incapable of utilizing an IPv6 connection, or which are dependent on
727	   an IPv4 stack, may need to be replaced or upgraded.

729	   In addition to devices working on an IPv6 network natively, or via a
730	   tunnel, many tools and support systems may require additional
731	   software updates to be IPv6 aware, or even a hardware upgrade
732	   (usually for additional memory: IPv6 as the addresses are larger and
733	   for a while, IPv4 and IPv6 addresses will coexist in the tool).  This
734	   awareness may include the ability to manage IPv6 elements and/or
735	   applications in addition to the ability to store and utilize IPv6
736	   addresses.

738	   Considerations when assessing the tools and support systems may
739	   include the fact that IPv6 addresses are significantly larger than
740	   IPv4, requiring data stores to support the increased size.  Such
741	   issues are among those discussed in [RFC5952].  Many organizations
742	   may also run dual-stack networks, therefore the tools need to not
743	   only support IPv6 operation, but may also need to support the
744	   monitoring, management and intersection with both IPv6 and IPv4
745	   simultaneously.  It is important to note that managing IPv6 is not
746	   just constrained to using large IPv6 addresses, but also that IPv6
747	   interfaces and nodes are likely to use two or more addresses as part
748	   of normal operation.  Updating management systems to deal with these
749	   additional nuances will likely consume time and considerable effort.

751	   For networking systems, like node management systems, it is not
752	   always necessary to support local IPv6 addressing and connectivity.
753	   Operations such as SNMP MIB polling can occur over IPv4 transport
754	   while seeking responses related to IPv6 information.  Where this may
755	   seem advantageous to some, it should be noted that without local IPv6
756	   connectivity, the management system may not be able to perform all
757	   expected functions - such as reachability and service checks.

759	   Organizations should be aware that changes to older IPv4-only SNMP
760	   MIB specifications have been made by the IETF related to legacy
761	   operation in [RFC2096] and [RFC2011].  Updated specifications are now
762	   available in [RFC4296] and [RFC4293] which modified the older MIB
763	   framework to be IP protocol agnostic, supporting both IPv4 and IPv6.
764	   Polling systems will need to be upgraded to support these updates as
765	   well as the end stations which are polled.

767	3.  External Phase

769	   The external phase for enterprise IPv6 adoption covers topics which
770	   deal with how an organization connects its infrastructure to the
771	   external world.  These external connections may be toward the
772	   Internet at large, or to other networks.  The external phase covers
773	   connectivity, security and monitoring of various elements and outward
774	   facing or accessible services.

776	   How an organization connects to the outside worlds is very important
777	   as it is often a critical part of how a business functions, therefore
778	   it must be dealt accordingly.

780	3.1.  Connectivity

782	   The enterprise will need to work with one or more Service Providers
783	   to gain connectivity to the Internet or transport service
784	   infrastructure such as a BGP/MPLS IP VPN as described in [RFC4364]
785	   and [RFC4659].  One significant factor that will guide how an
786	   organization may need to communicate with the outside world will
787	   involve the use of PI (Provider Independent) and/or PA (Provider
788	   Aggregatable) IPv6 space.

790	   Enterprises should be aware that depending on which address type they
791	   selected (PI vs. PA) in their planning section, they may need to
792	   implement new routing functions and/or behaviours to support their
793	   connectivity to the ISP.  In the case of PI, the upstream ISP may
794	   offer options to route the prefix (typically a /48) on the
795	   enterprise's behalf and update the relevant routing databases.  In
796	   other cases, the enterprise may need to perform this task on their
797	   own and use BGP to inject the prefix into the global BGP system.
798	   This latter case is not how many enterprises operate today and is an
799	   important consideration.

801	   Note that the rules set by the RIRs for an enterprise acquiring PI
802	   address space have changed over time.  For example, in the European
803	   region the RIPE-NCC no longer requires an enterprise to be multihomed
804	   to be eligible for an IPv6 PI allocation.  Requests can be made
805	   directly or via an LIR.  It is possible that the rules may change
806	   again, and may vary between RIRs.

808	   When seeking IPv6 connectivity to a Service Provider, the Enterprise
809	   will prefer to use native IPv6 connectivity.  Native IPv6
810	   connectivity is preferred since it provides the most robust and
811	   efficient form of connectivity.  If native IPv6 connectivity is not
812	   possible due to technical or business limitations, the enterprise may
813	   utilize readily available tunnelled IPv6 connectivity.  There are
814	   IPv6 transit providers which provide robust tunnelled IPv6
815	   connectivity which can operate over IPv4 networks.  It is important
816	   to understand the tunneling mechanism used, and to consider that it
817	   will have higher latency than native IPv4 or IPv6, and may have other
818	   problems, e.g. related to MTUs.

820	   The use of ULAs may provide some flexibility when an enterprise is
821	   using PA space from two or more providers in a multihoming scenario,
822	   by providing an independent local prefix for internal use, while
823	   using the PA prefix for external communication in conjunction with
824	   NPTv6 at the egress [RFC6296].  While NPTv6 can provide for
825	   simplified renumbering in certain scenarios, as described in
826	   [I-D.ietf-6renum-enterprise], it must be noted that many of the well-
827	   known issues with NAT still apply, in particular handling IPv6
828	   addresses embedded in payloads.  As mentioned earlier, if considering
829	   ULAs, give careful thought to how well it is supported, especially in
830	   multiple address and multicast scenarios, and assess the strength of
831	   the requirement for ULA.[I-D.ietf-v6ops-ula-usage-recommendations]
832	   provides much more detailed analysis and recommendations on the usage
833	   of ULAs.

835	   It should be noted that the use of PI space obviates the need for
836	   using ULAs just in order to achieve multihoming.

838	   It is important to evaluate MTU considerations when adding in IPv6 to
839	   an existing IPv4 network.  It is generally desirable to have the IPv6
840	   and IPv4 MTU congruent to simplify operations.  If the enterprise
841	   uses tunnelling inside or externally for IPv6 connectivity, then
842	   modification of the MTU on hosts/routers may be needed as mid-stream
843	   fragmentation is no longer supported in IPv6.  It is preferred that
844	   pMTUD is used to optimize the MTU, so erroneous filtering of the
845	   related ICMPv6 message types should be monitored.  Adjusting the MTU
846	   may be the only option if undesirable upstream ICMPv6 filtering
847	   cannot be removed.

849	3.2.  Security

851	   The most important part of security for external IPv6 deployment is
852	   filtering and monitoring.  Filtering can be done by stateless ACLs or
853	   a stateful firewall.  The security policies must be consistent for
854	   IPv4 and IPv6 (else the attacker will use the less protected protocol
855	   stack), except that certain ICMPv6 messages must be allowed through
856	   and to the filtering device (see [RFC4890]):

858	   o  Unreachable packet-too-big: it is very important to allow Path MTU
859	      discovery to work

861	   o  Unreachable parameter-problem
862	   o  Neighbor solicitation

864	   o  Neighbor advertisement

866	   It could also be safer to block all fragments where the transport
867	   layer header is not in the first fragment to avoid attacks as
868	   described in [RFC5722].  Some filtering devices allow this filtering.
869	   To be fully compliant with [RFC5095], all packets containing the
870	   routing extension header type 0 must be dropped.

872	   If an Intrusion Prevention System (IPS) is used for IPv4 traffic,
873	   then an IPS should also be used for IPv6 traffic.  In general, make
874	   sure IPv6 security is at least as good as IPv4.  This also includes
875	   all email content protection (anti-spam, content filtering, data
876	   leakage prevention, etc.).

878	   The edge router must also implement anti-spoofing techniques based on
879	   [RFC2827] (also known as BCP 38).

881	   In order to protect the networking devices, it is advised to
882	   implement control plane policing as per [RFC6192].

884	   The potential NDP cache exhaustion attack (see [RFC6538]) can be
885	   mitigated by two techniques:

887	   o  Good NDP implementation with memory utilization limits as well as
888	      rate-limiters and prioritization of requests.

890	   o  Or, as the external deployment usually involves just a couple of
891	      exposed statically configured IPv6 addresses (virtual addresses of
892	      web, email, and DNS servers), then it is straightforward to build
893	      an ingress ACL allowing traffic for those addresses and denying
894	      traffic to any other addresses.  This actually prevents the attack
895	      as a packet for a random destination will be dropped and will
896	      never trigger a neighbor resolution.

898	3.3.  Monitoring

900	   Monitoring the use of the Internet connectivity should be done for
901	   IPv6 as it is done for IPv4.  This includes the use of IP Flow
902	   Information eXport (IPFIX) [RFC5102] to detect abnormal traffic
903	   patterns (such as port scanning, SYN-flooding) and SNMP MIB [RFC4293]
904	   (another way to detect abnormal bandwidth utilization).  Where using
905	   Netflow, version 9 is required for IPv6 support.

907	3.4.  Servers and Applications
908	   The path to the servers accessed from the Internet usually involves
909	   security devices (firewall, IPS), server load balancing (SLB) and
910	   real physical servers.  The latter stage is also multi-tiered for
911	   scalability and security between presentation and data storage.  The
912	   ideal transition is to enable dual-stack on all devices but this may
913	   seem too time-consuming and too risky.

915	   Operators have used the following approaches with success:

917	   o  Use a network device to apply NAT64 and basically translate an
918	      inbound TCP connection (or any other transport protocol) over IPv6
919	      into a TCP connection over IPv4.  This is the easiest to deploy as
920	      the path is mostly unchanged but it hides all IPv6 remote users
921	      behind a single IPv4 address which leads to several audit trail
922	      and security issues (see [RFC6302]).

924	   o  Use the server load balancer which acts as an application proxy to
925	      do this translation.  Compared to the NAT64, it has the potential
926	      benefit of going through the security devices as native IPv6 (so
927	      more audit and trace abilities) and is also able to insert a HTTP
928	      X-Forward-For header which contains the remote IPv6 address.  The
929	      latter feature allows for logging, and rate-limiting on the real
930	      servers based on the IPV6 address even if those servers run only
931	      IPv4.

933	3.5.  Network Prefix Translation for IPv6

935	   Network Prefix Translation for IPv6, or NPTv6 as described in
936	   [RFC6296] provides a framework to utilize prefix ranges within the
937	   internal network which are separate (address-independent) from the
938	   assigned prefix from the upstream provider or registry.  As mentioned
939	   above, while NPTv6 has potential use-cases in IPv6 networks, the
940	   implications of its deployment need to be fully understood,
941	   particularly where any applications might embed IPv6 addresses in
942	   their payloads.

944	   Use of NTPv6 can be chosen independently from how addresses are
945	   assigned and routed within the internal network and how prefixes are
946	   routed towards the Internet (included both PA and PI address
947	   assignment options).

949	4.  Internal Phase

951	   This phase deals with the delivery of IPv6 to the internal user-
952	   facing side of the IT infrastructure, which comprises various
953	   components such as network devices (routers, switches, etc.), end
954	   user devices and peripherals (workstations, printers, etc.), and
955	   internal corporate systems.

957	   An important design paradigm to consider during this phase is "dual-
958	   stack when you can, tunnel when you must".  Dual-stacking allows a
959	   more robust, production-quality IPv6 network than is typically
960	   facilitated by internal use of tunnels that are harder to
961	   troubleshoot and support, and that may introduce scalability and
962	   performance issues.  Tunnels may of course still be used in
963	   production networks, but their use needs to be carefully considered,
964	   e.g. where the tunnel may be run through a security or filtering
965	   device.  Tunnels do also provide a means to experiment with IPv6 and
966	   gain some operational experience with the protocol.  [RFC4213]
967	   describes various transition mechanisms in more detail.
968	   [I-D.templin-v6ops-isops] suggests operational guidance when using
969	   ISATAP tunnels [RFC5214], though we would recommend use of dual-stack
970	   wherever possible.

972	4.1.  Security

974	   IPv6 must be deployed in a secure way.  This means that all existing
975	   IPv4 security policies must be extended to support IPv6; IPv6
976	   security policies will be the IPv6 equivalent of the existing IPv4
977	   ones (taking into account the difference for ICMPv6 [RFC4890]).  As
978	   in IPv4, security policies for IPv6 will be enforced by firewalls,
979	   ACL, IPS, VPN, and so on.

981	   Privacy extension addresses [RFC4941] raise a challenge for an audit
982	   trail as explained in section Section 2.4.3.  The enterprise may
983	   choose to attempt to enforce use of DHCPv6, or deploy monitoring
984	   tools that harvest accountability data from switches and routers
985	   (thus making the assumption that devices may use any addresses inside
986	   the network).

988	   But the major issue is probably linked to all threats against
989	   Neighbor Discovery.  This means, for example, that the internal
990	   network at the access layer (where hosts connect to the network over
991	   wired or wireless) should implement RA-guard [RFC6105] and the
992	   techniques being specified by SAVI WG [I-D.ietf-savi-threat-scope];
993	   see also Section 2.4.3 for more information.

995	4.2.  Network Infrastructure

997	   The typical enterprise network infrastructure comprises a combination
998	   of the following network elements - wired access switches, wireless
999	   access points, and routers (although it is fairly common to find
1000	   hardware that collapses switching and routing functionality into a
1001	   single device).  Basic wired access switches and access points
1002	   operate only at the physical and link layers, and don't really have
1003	   any special IPv6 considerations other than being able to support IPv6
1004	   addresses themselves for management purposes.  In many instances,
1005	   these devices possess a lot more intelligence than simply switching
1006	   packets.  For example, some of these devices help assist with link
1007	   layer security by incorporating features such as ARP inspection and
1008	   DHCP Snooping, or they may help limit where multicast floods by using
1009	   IGMP (or, in the case of IPv6, MLD) snooping.

1011	   Another important consideration in enterprise networks is first hop
1012	   router redundancy.  This directly ties into network reachability from
1013	   an end host's point of view.  IPv6 Neighbor Discovery (ND),
1014	   [RFC4861], provides a node with the capability to maintain a list of
1015	   available routers on the link, in order to be able to switch to a
1016	   backup path should the primary be unreachable.  By default, ND will
1017	   detect a router failure in 38 seconds and cycle onto the next default
1018	   router listed in its cache.  While this feature provides a basic
1019	   level of first hop router redundancy, most enterprise IPv4 networks
1020	   are designed to fail over much faster.  Although this delay can be
1021	   improved by adjusting the default timers, care must be taken to
1022	   protect against transient failures and to account for increased
1023	   traffic on the link.  Another option to provide robust first hop
1024	   redundancy is to use the Virtual Router Redundancy Protocol for IPv6
1025	   (VRRPv3), [RFC5798].  This protocol provides a much faster switchover
1026	   to an alternate default router than default ND parameters.  Using
1027	   VRRPv3, a backup router can take over for a failed default router in
1028	   around three seconds (using VRRPv3 default parameters).  This is done
1029	   without any interaction with the hosts and a minimum amount of VRRP
1030	   traffic.

1032	   Last but not the least, one of the most important design choices to
1033	   make while deploying IPv6 on the internal network is whether to use
1034	   Stateless Automatic Address Configuration (SLAAC), [RFC4862], or
1035	   Dynamic Host Configuration Protocol for IPv6 (DHCPv6), [RFC3315], or
1036	   a combination thereof.  Each option has advantages and disadvantages,
1037	   and the choice will ultimately depend on the operational policies
1038	   that guide each enterprise's network design.  For example, if an
1039	   enterprise is looking for ease of use, rapid deployment, and less
1040	   administrative overhead, then SLAAC makes more sense for
1041	   workstations.  Manual or DHCPv6 assignments are still needed for
1042	   servers, as described in the External Phase and Address Plan sections
1043	   of this document.  However, if the operational policies call for
1044	   precise control over IP address assignment for auditing then DHCPv6
1045	   may be preferred.  DHCPv6 also allows you tie into DNS systems for
1046	   host entry updates and gives you the ability to send other options
1047	   and information to clients.  It is worth noting that in general
1048	   operation RAs are still needed in DHCPv6 networks, as there is no
1049	   DHCPv6 Default Gateway option.  Similarly, DHCPv6 is needed in RA
1050	   networks for other configuration information, e.g.  NTP servers or,
1051	   in the absence of support for DNS resolvers in RAs [RFC6106], DNS
1052	   resolver information.

1054	4.3.  End user devices

1056	   Most operating systems (OSes) that are loaded on workstations and
1057	   laptops in a typical enterprise support IPv6 today.  However, there
1058	   are various out-of-the-box nuances that one should be mindful about.
1059	   For example, the default behavior of OSes vary; some may have IPv6
1060	   turned off by default, some may only have certain features such as
1061	   privacy extensions to IPv6 addresses (RFC 4941) turned off while
1062	   others have IPv6 fully enabled.  Further, even when IPv6 is enabled,
1063	   the choice of which address is used may be subject to Source Address
1064	   Selection (RFC 6724) and Happy Eyeballs (RFC 6555).  Therefore, it is
1065	   advised that enterprises investigate the default behavior of their
1066	   installed OS base and account for it during the Inventory phases of
1067	   their IPv6 preparations.  Furthermore, some OSes may have tunneling
1068	   mechanisms turned on by default and in such cases it is recommended
1069	   to administratively shut down such interfaces unless required.

1071	   It is important to note that it is recommended that IPv6 be deployed
1072	   at the network and system infrastructure level before it is rolled
1073	   out to end user devices; ensure IPv6 is running and routed on the
1074	   wire, and secure and correctly monitored, before exposing IPv6 to end
1075	   users.

1077	   Smartphones and tablets are poised to become one of the major
1078	   consumers of IP addresses and enterprises, and should be ready to
1079	   support IPv6 on various networks that serve such devices.  In
1080	   general, support for IPv6 in these devices, albeit in its infancy,
1081	   has been steadily rising.  Most of the leading smartphone OSes have
1082	   some level of support for IPv6.  However, the level of configurable
1083	   options are mostly at a minimum and are not consistent across all
1084	   platforms.  Also, it is fairly common to find IPv6 support on the Wi-
1085	   Fi connection alone and not on the radio interface in these devices.
1086	   This is sometimes due to the radio network not being IPv6 ready, or
1087	   it may be device-related.  An IPv6-enabled enterprise Wi-Fi network
1088	   will allow the majority of these devices to connect via IPv6.  Much
1089	   work is still being done to bring the full IPv6 feature set across
1090	   all interfaces (802.11, 3G, LTE, etc.) and platforms.

1092	   IPv6 support in peripheral equipment such as printers, IP cameras,
1093	   etc., has been steadily rising as well, although at a much slower
1094	   pace than traditional OSes and smartphones.  Most newer devices are
1095	   coming out with IPv6 support but there is still a large installed
1096	   base of legacy peripheral devices that might need IPv4 for some time
1097	   to come.  The audit phase mentioned earlier will make it easier for
1098	   enterprises to plan for equipment upgrades, in line with their
1099	   corporate equipment refresh cycle.

1101	4.4.  Corporate Systems

1103	   No IPv6 deployment will be successful without ensuring that all the
1104	   corporate systems that an enterprise uses as part of its IT
1105	   infrastructure support IPv6.  Examples of such systems include, but
1106	   are not limited to, email, video conferencing, telephony (VoIP), DNS,
1107	   RADIUS, etc.  All these systems must have their own detailed IPv6
1108	   rollout plan in conjunction with the network IPv6 rollout.  It is
1109	   important to note that DNS is one of the main anchors in an
1110	   enterprise deployment, since most end hosts decide whether or not to
1111	   use IPv6 depending on the presence of IPv6 AAAA records in a reply to
1112	   a DNS query.  It is recommended that system administrators
1113	   selectively turn on AAAA records for various systems as and when they
1114	   are IPv6 enabled; care must be taken though to ensure all services
1115	   running on that host name are IPv6-enabled before adding the AAAA
1116	   record.  Additionally, all monitoring and reporting tools across the
1117	   enterprise would need to be modified to support IPv6.

1119	5.  IPv6-only

1121	   Early IPv6 enterprise deployments have generally taken a dual-stack
1122	   approach to enabling IPv6, i.e. the existing IPv4 services have not
1123	   been turned off.  Although IPv4 and IPv6 networks will coexist for a
1124	   long time, the long term enterprise network roadmap should include
1125	   steps on gradually deprecating IPv4 from the dual-stack network.  In
1126	   some extreme cases, deploying dual-stack networks may not even be a
1127	   viable option for very large enterprises due to the RFC 1918 address
1128	   space not being large enough to support the network's growth.  In
1129	   such cases, deploying IPv6-only networks might be the only choice
1130	   available to sustain network growth.  In other cases, there may be
1131	   elements of an otherwise dual-stack network that may be run
1132	   IPv6-only.

1134	   If nodes in the network don't need to talk to an IPv4-only node, then
1135	   deploying IPv6-only networks should be fairly trivial.  However, in
1136	   the current environment, given that IPv4 is the dominant protocol on
1137	   the Internet, an IPv6-only node most likely needs to talk to an
1138	   IPv4-only node on the Internet.  It is therefore important to provide
1139	   such nodes with a translation mechanism to ensure communication
1140	   between nodes configured with different address families.  As
1141	   [RFC6144] points out, it is important to look at address translation
1142	   as a transition strategy towards running an IPv6-only network.

1144	   There are various stateless and stateful IPv4/IPv6 translation
1145	   methods available today that help IPv6 to IPv4 communication.  RFC
1146	   6144 provides a framework for IPv4/IPv6 translation and describes in
1147	   detail various scenarios in which such translation mechanisms could
1148	   be used.  [RFC6145] describes stateless address translation.  In this
1149	   mode, a specific IPv6 address range will represent IPv4 systems
1150	   (IPv4-converted addresses), and the IPv6 systems have addresses
1151	   (IPv4-translatable addresses) that can be algorithmically mapped to a
1152	   subset of the service provider's IPv4 addresses.  [RFC6146], NAT64,
1153	   describes stateful address translation.  As the name suggests, the
1154	   translation state is maintained between IPv4 address/port pairs and
1155	   IPv6 address/port pairs, enabling IPv6 systems to open sessions with
1156	   IPv4 systems.  [RFC6147], DNS64, describes a mechanism for
1157	   synthesizing AAAA resource records (RRs) from A RRs.  Together, RFCs
1158	   6146 and RFC 6147 provide a viable method for an IPv6-only client to
1159	   initiate communications to an IPv4-only server.

1161	   The address translation mechanisms for the stateless and stateful
1162	   translations are defined in [RFC6052].  It is important to note that
1163	   both of these mechanisms have limitations as to which protocols they
1164	   support.  For example, RFC 6146 only defines how stateful NAT64
1165	   translates unicast packets carrying TCP, UDP, and ICMP traffic only.
1166	   The classic problems of IPv4 NAT also apply, e.g. handling IP
1167	   literals in application payloads.  The ultimate choice of which
1168	   translation mechanism to chose will be dictated mostly by existing
1169	   operational policies pertaining to application support, logging
1170	   requirements, etc.

1172	   There is additional work being done in the area of address
1173	   translation to enhance and/or optimize current mechanisms.  For
1174	   example, [I-D.xli-behave-divi] describes limitations with the current
1175	   stateless translation, such as IPv4 address sharing and application
1176	   layer gateway (ALG) problems, and presents the concept and
1177	   implementation of dual-stateless IPv4/IPv6 translation (dIVI) to
1178	   address those issues.

1180	   It is worth noting that for IPv6-only access networks that use
1181	   technologies such as NAT64, the more content providers (and
1182	   enterprises) that make their content available over IPv6, the less
1183	   the requirement to apply NAT64 to traffic leaving the access network.

1185	6.  Considerations For Specific Enterprises

1187	6.1.  Content Delivery Networks

1189	   Some guidance for Internet Content and Application Service Providers
1190	   can be found in [I-D.ietf-v6ops-icp-guidance], which includes a
1191	   dedicated section on CDNs.  An enterprise that relies on CDN to
1192	   deliver a 'better' e-commerce experience needs to ensure that their
1193	   CDN provider also supports IPv4/IPv6 traffic selection so that they
1194	   can ensure 'best' access to the content.

1196	6.2.  Data Center Virtualization

1198	   IPv6 Data Center considerations are described in
1199	   [I-D.lopez-v6ops-dc-ipv6].

1201	6.3.  University Campus Networks

1203	   A number of campus networks around the world have made some initial
1204	   IPv6 deployment.  This has been encouraged by their National Research
1205	   and Education Network (NREN) backbones having made IPv6 available
1206	   natively since the early 2000's.  Universities are a natural place
1207	   for IPv6 deployment to be considered at an early stage, perhaps
1208	   compared to other enterprises, as they are involved by their very
1209	   nature in research and education.

1211	   Campus networks can deploy IPv6 at their own pace; their is no need
1212	   to deploy IPv6 across the entire enterprise from day one, rather
1213	   specific projects can be identified for an initial deployment, that
1214	   are both deep enough to give the university experience, but small
1215	   enough to be a realistic first step.  There are generally three areas
1216	   in which such deployments are currently made.

1218	   In particular those initial areas commonly approached are:

1220	   o  External-facing services.  Typically the campus web presence and
1221	      commonly also external-facing DNS and MX services.  This ensures
1222	      early IPv6-only adopters elsewhere can access the campus services
1223	      as simply and as robustly as possible.

1225	   o  Computer science department.  This is where IPv6-related research
1226	      and/or teaching is most likely to occur, and where many of the
1227	      next generation of network engineers are studying, so enabling
1228	      some or all of the campus computer science department network is a
1229	      sensible first step.

1231	   o  The eduroam wireless network.  Eduroam [I-D.wierenga-ietf-eduroam]
1232	      is the de facto wireless roaming system for academic networks, and
1233	      uses 802.1X-based authentication, which is agnostic to the IP
1234	      version used (unlike web-redirection gateway systems).  Making a
1235	      campus' eduroam network dual-stack is a very viable early step.

1237	   The general IPv6 deployment model in a campus enterprise will still
1238	   follow the general principles described in this document.  While the
1239	   above early stage projects are commonly followed, these still require
1240	   the campus to acquire IPv6 connectivity and address space from their
1241	   NREN (or other provider in some parts of the world), and to enable
1242	   IPv6 on the wire on at least part of the core of the campus network.
1243	   This implies a requirement to have an initial address plan, and to
1244	   ensure appropriate monitoring and security measures are in place, as
1245	   described elsewhere in this document.

1247	   Campuses which have deployed to date do not use ULAs, nor do they use
1248	   NPTv6.  In general, campuses have very stable PA-based address
1249	   allocations from their NRENs (or their equivalent).  However, campus
1250	   enterprises may consider applying for IPv6 PI; some have already done
1251	   so.  The discussions earlier in this text about PA vs. PI still
1252	   apply.

1254	   Finally, campuses may be more likely than many other enterprises to
1255	   run multicast applications, such as IP TV or live lecture or seminar
1256	   streaming, so may wish to consider support for specific IPv6
1257	   multicast functionality, e.g. Embedded-RP [RFC3956] in routers and
1258	   MLDv1 and MLDv2 snooping in switches.

1260	7.  Security Considerations

1262	   This document has multiple security sections detailing how to
1263	   securely deploy an IPv6 network within an enterprise network.

1265	8.  Acknowledgements

1267	   The authors would like to thank Chris Grundemann, Ray Hunter, Brian
1268	   Carpenter, Tina Tsou, Christian Jaquenet, and Fred Templin for their
1269	   substantial comments and contributions.

1271	9.  IANA Considerations

1273	   There are no IANA considerations or implications that arise from this
1274	   document.

1276	10.  Informative References

1278	   [RFC0826]  Plummer, D., "Ethernet Address Resolution Protocol: Or
1279	              converting network protocol addresses to 48.bit Ethernet
1280	              address for transmission on Ethernet hardware", STD 37,
1281	              RFC 826, November 1982.

1283	   [RFC1687]  Fleischman, E., "A Large Corporate User's View of IPng",
1284	              RFC 1687, August 1994.

1286	   [RFC1817]  Rekhter, Y., "CIDR and Classful Routing", RFC 1817, August
1287	              1995.

1289	   [RFC1918]  Rekhter, Y., Moskowitz, R., Karrenberg, D., Groot, G., and
1290	              E. Lear, "Address Allocation for Private Internets", BCP
1291	              5, RFC 1918, February 1996.

1293	   [RFC2011]  McCloghrie, K., "SNMPv2 Management Information Base for
1294	              the Internet Protocol using SMIv2", RFC 2011, November
1295	              1996.

1297	   [RFC2096]  Baker, F., "IP Forwarding Table MIB", RFC 2096, January
1298	              1997.

1300	   [RFC2827]  Ferguson, P. and D. Senie, "Network Ingress Filtering:
1301	              Defeating Denial of Service Attacks which employ IP Source
1302	              Address Spoofing", BCP 38, RFC 2827, May 2000.

1304	   [RFC3315]  Droms, R., Bound, J., Volz, B., Lemon, T., Perkins, C.,
1305	              and M. Carney, "Dynamic Host Configuration Protocol for
1306	              IPv6 (DHCPv6)", RFC 3315, July 2003.

1308	   [RFC3956]  Savola, P. and B. Haberman, "Embedding the Rendezvous
1309	              Point (RP) Address in an IPv6 Multicast Address", RFC
1310	              3956, November 2004.

1312	   [RFC3971]  Arkko, J., Kempf, J., Zill, B., and P. Nikander, "SEcure
1313	              Neighbor Discovery (SEND)", RFC 3971, March 2005.

1315	   [RFC3972]  Aura, T., "Cryptographically Generated Addresses (CGA)",
1316	              RFC 3972, March 2005.

1318	   [RFC4038]  Shin, M-K., Hong, Y-G., Hagino, J., Savola, P., and E.
1319	              Castro, "Application Aspects of IPv6 Transition", RFC
1320	              4038, March 2005.

1322	   [RFC4057]  Bound, J., "IPv6 Enterprise Network Scenarios", RFC 4057,
1323	              June 2005.

1325	   [RFC4193]  Hinden, R. and B. Haberman, "Unique Local IPv6 Unicast
1326	              Addresses", RFC 4193, October 2005.

1328	   [RFC4213]  Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms
1329	              for IPv6 Hosts and Routers", RFC 4213, October 2005.

1331	   [RFC4293]  Routhier, S., "Management Information Base for the
1332	              Internet Protocol (IP)", RFC 4293, April 2006.

1334	   [RFC4296]  Bailey, S. and T. Talpey, "The Architecture of Direct Data
1335	              Placement (DDP) and Remote Direct Memory Access (RDMA) on
1336	              Internet Protocols", RFC 4296, December 2005.

1338	   [RFC4364]  Rosen, E. and Y. Rekhter, "BGP/MPLS IP Virtual Private
1339	              Networks (VPNs)", RFC 4364, February 2006.

1341	   [RFC4443]  Conta, A., Deering, S., and M. Gupta, "Internet Control
1342	              Message Protocol (ICMPv6) for the Internet Protocol
1343	              Version 6 (IPv6) Specification", RFC 4443, March 2006.

1345	   [RFC4659]  De Clercq, J., Ooms, D., Carugi, M., and F. Le Faucheur,
1346	              "BGP-MPLS IP Virtual Private Network (VPN) Extension for
1347	              IPv6 VPN", RFC 4659, September 2006.

1349	   [RFC4861]  Narten, T., Nordmark, E., Simpson, W., and H. Soliman,
1350	              "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861,
1351	              September 2007.

1353	   [RFC4862]  Thomson, S., Narten, T., and T. Jinmei, "IPv6 Stateless
1354	              Address Autoconfiguration", RFC 4862, September 2007.

1356	   [RFC4890]  Davies, E. and J. Mohacsi, "Recommendations for Filtering
1357	              ICMPv6 Messages in Firewalls", RFC 4890, May 2007.

1359	   [RFC4941]  Narten, T., Draves, R., and S. Krishnan, "Privacy
1360	              Extensions for Stateless Address Autoconfiguration in
1361	              IPv6", RFC 4941, September 2007.

1363	   [RFC5095]  Abley, J., Savola, P., and G. Neville-Neil, "Deprecation
1364	              of Type 0 Routing Headers in IPv6", RFC 5095, December
1365	              2007.

1367	   [RFC5102]  Quittek, J., Bryant, S., Claise, B., Aitken, P., and J.
1368	              Meyer, "Information Model for IP Flow Information Export",
1369	              RFC 5102, January 2008.

1371	   [RFC5157]  Chown, T., "IPv6 Implications for Network Scanning", RFC
1372	              5157, March 2008.

1374	   [RFC5211]  Curran, J., "An Internet Transition Plan", RFC 5211, July
1375	              2008.

1377	   [RFC5214]  Templin, F., Gleeson, T., and D. Thaler, "Intra-Site
1378	              Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214,
1379	              March 2008.

1381	   [RFC5375]  Van de Velde, G., Popoviciu, C., Chown, T., Bonness, O.,
1382	              and C. Hahn, "IPv6 Unicast Address Assignment
1383	              Considerations", RFC 5375, December 2008.

1385	   [RFC5722]  Krishnan, S., "Handling of Overlapping IPv6 Fragments",
1386	              RFC 5722, December 2009.

1388	   [RFC5798]  Nadas, S., "Virtual Router Redundancy Protocol (VRRP)
1389	              Version 3 for IPv4 and IPv6", RFC 5798, March 2010.

1391	   [RFC5952]  Kawamura, S. and M. Kawashima, "A Recommendation for IPv6
1392	              Address Text Representation", RFC 5952, August 2010.

1394	   [RFC6052]  Bao, C., Huitema, C., Bagnulo, M., Boucadair, M., and X.
1395	              Li, "IPv6 Addressing of IPv4/IPv6 Translators", RFC 6052,
1396	              October 2010.

1398	   [RFC6104]  Chown, T. and S. Venaas, "Rogue IPv6 Router Advertisement
1399	              Problem Statement", RFC 6104, February 2011.

1401	   [RFC6105]  Levy-Abegnoli, E., Van de Velde, G., Popoviciu, C., and J.
1402	              Mohacsi, "IPv6 Router Advertisement Guard", RFC 6105,
1403	              February 2011.

1405	   [RFC6106]  Jeong, J., Park, S., Beloeil, L., and S. Madanapalli,
1406	              "IPv6 Router Advertisement Options for DNS Configuration",
1407	              RFC 6106, November 2010.

1409	   [RFC6144]  Baker, F., Li, X., Bao, C., and K. Yin, "Framework for
1410	              IPv4/IPv6 Translation", RFC 6144, April 2011.

1412	   [RFC6145]  Li, X., Bao, C., and F. Baker, "IP/ICMP Translation
1413	              Algorithm", RFC 6145, April 2011.

1415	   [RFC6146]  Bagnulo, M., Matthews, P., and I. van Beijnum, "Stateful
1416	              NAT64: Network Address and Protocol Translation from IPv6
1417	              Clients to IPv4 Servers", RFC 6146, April 2011.

1419	   [RFC6147]  Bagnulo, M., Sullivan, A., Matthews, P., and I. van
1420	              Beijnum, "DNS64: DNS Extensions for Network Address
1421	              Translation from IPv6 Clients to IPv4 Servers", RFC 6147,
1422	              April 2011.

1424	   [RFC6177]  Narten, T., Huston, G., and L. Roberts, "IPv6 Address
1425	              Assignment to End Sites", BCP 157, RFC 6177, March 2011.

1427	   [RFC6164]  Kohno, M., Nitzan, B., Bush, R., Matsuzaki, Y., Colitti,
1428	              L., and T. Narten, "Using 127-Bit IPv6 Prefixes on Inter-
1429	              Router Links", RFC 6164, April 2011.

1431	   [RFC6192]  Dugal, D., Pignataro, C., and R. Dunn, "Protecting the
1432	              Router Control Plane", RFC 6192, March 2011.

1434	   [RFC6296]  Wasserman, M. and F. Baker, "IPv6-to-IPv6 Network Prefix
1435	              Translation", RFC 6296, June 2011.

1437	   [RFC6302]  Durand, A., Gashinsky, I., Lee, D., and S. Sheppard,
1438	              "Logging Recommendations for Internet-Facing Servers", BCP
1439	              162, RFC 6302, June 2011.

1441	   [RFC6434]  Jankiewicz, E., Loughney, J., and T. Narten, "IPv6 Node
1442	              Requirements", RFC 6434, December 2011.

1444	   [RFC6538]  Henderson, T. and A. Gurtov, "The Host Identity Protocol
1445	              (HIP) Experiment Report", RFC 6538, March 2012.

1447	   [RFC6724]  Thaler, D., Draves, R., Matsumoto, A., and T. Chown,
1448	              "Default Address Selection for Internet Protocol Version 6
1449	              (IPv6)", RFC 6724, September 2012.

1451	   [RFC6555]  , "Happy Eyeballs: Success with Dual-Stack Hosts", .

1453	   [RFC6583]  , "Operational Neighbor Discovery Problems", .

1455	   [I-D.xli-behave-divi]
1456	              Bao, C., Li, X., Zhai, Y., and W. Shang, "dIVI: Dual-
1457	              Stateless IPv4/IPv6 Translation", draft-xli-behave-divi-05
1458	              (work in progress), June 2013.

1460	   [I-D.wierenga-ietf-eduroam]
1461	              Wierenga, K., Winter, S., and T. Wolniewicz, "The eduroam
1462	              architecture for network roaming", draft-wierenga-ietf-
1463	              eduroam-00 (work in progress), October 2012.

1465	   [I-D.ietf-savi-threat-scope]
1466	              McPherson, D., Baker, F., and J. Halpern, "SAVI Threat
1467	              Scope", draft-ietf-savi-threat-scope-08 (work in
1468	              progress), April 2013.

1470	   [I-D.lopez-v6ops-dc-ipv6]
1471	              Lopez, D., Chen, Z., Tsou, T., Zhou, C., and A. Servin,
1472	              "IPv6 Operational Guidelines for Datacenters", draft-
1473	              lopez-v6ops-dc-ipv6-04 (work in progress), February 2013.

1475	   [I-D.templin-v6ops-isops]
1476	              Templin, F., "Operational Guidance for IPv6 Deployment in
1477	              IPv4 Sites using ISATAP", draft-templin-v6ops-isops-19
1478	              (work in progress), April 2013.

1480	   [I-D.carpenter-6man-ext-transmit]
1481	              Carpenter, B. and S. Jiang, "Transmission of IPv6
1482	              Extension Headers", draft-carpenter-6man-ext-transmit-02
1483	              (work in progress), February 2013.

1485	   [I-D.ietf-6renum-enterprise]
1486	              Jiang, S., Liu, B., and B. Carpenter, "IPv6 Enterprise
1487	              Network Renumbering Scenarios, Considerations and
1488	              Methods", draft-ietf-6renum-enterprise-06 (work in
1489	              progress), January 2013.

1491	   [I-D.ietf-6renum-static-problem]
1492	              Carpenter, B. and S. Jiang, "Problem Statement for
1493	              Renumbering IPv6 Hosts with Static Addresses in Enterprise
1494	              Networks", draft-ietf-6renum-static-problem-03 (work in
1495	              progress), December 2012.

1497	   [I-D.ietf-v6ops-design-choices]
1498	              Matthews, P., "Design Choices for IPv6 Networks", draft-
1499	              ietf-v6ops-design-choices-00 (work in progress), February
1500	              2013.

1502	   [I-D.ietf-opsec-v6]
1503	              Chittimaneni, K., Kaeo, M., and E. Vyncke, "Operational
1504	              Security Considerations for IPv6 Networks", draft-ietf-
1505	              opsec-v6-02 (work in progress), February 2013.

1507	   [I-D.ietf-opsec-ipv6-host-scanning]
1508	              Gont, F. and T. Chown, "Network Reconnaissance in IPv6
1509	              Networks", draft-ietf-opsec-ipv6-host-scanning-01 (work in
1510	              progress), April 2013.

1512	   [I-D.ietf-opsec-ipv6-implications-on-ipv4-nets]
1513	              Gont, F. and W. Liu, "Security Implications of IPv6 on
1514	              IPv4 Networks", draft-ietf-opsec-ipv6-implications-on-
1515	              ipv4-nets-05 (work in progress), July 2013.

1517	   [I-D.ietf-v6ops-ra-guard-implementation]
1518	              Gont, F., "Implementation Advice for IPv6 Router
1519	              Advertisement Guard (RA-Guard)", draft-ietf-v6ops-ra-
1520	              guard-implementation-07 (work in progress), November 2012.

1522	   [I-D.ietf-v6ops-icp-guidance]
1523	              Carpenter, B. and S. Jiang, "IPv6 Guidance for Internet
1524	              Content and Application Service Providers", draft-ietf-
1525	              v6ops-icp-guidance-05 (work in progress), January 2013.

1527	   [I-D.liu-bonica-dhcpv6-slaac-problem]
1528	              Liu, B. and R. Bonica, "DHCPv6/SLAAC Address Configuration
1529	              Interaction Problem Statement", draft-liu-bonica-dhcpv6
1530	              -slaac-problem-01 (work in progress), February 2013.

1532	   [I-D.ietf-v6ops-ula-usage-recommendations]
1533	              Liu, B., Jiang, S., and C. Byrne, "Recommendations of
1534	              Using Unique Local Addresses", draft-ietf-v6ops-ula-usage-
1535	              recommendations-00 (work in progress), May 2013.

1537	   [SMURF]    , "CERT Advisory CA-1998-01 Smurf IP Denial-of-Service
1538	              Attacks", ,
1539	              <http://www.cert.org/advisories/CA-1998-01.html>.

1541	   [CYMRU]    , "THE BOGON REFERENCE", ,
1542	              <http://www.team-cymru.org/Services/Bogons/>.

1544	Authors' Addresses

1546	   Kiran K. Chittimaneni
1547	   Google Inc.
1548	   1600 Amphitheater Pkwy
1549	   Mountain View, California  CA 94043
1550	   USA

1552	   Email: kk@google.com

1554	   Tim Chown
1555	   University of Southampton
1556	   Highfield
1557	   Southampton, Hampshire  SO17 1BJ
1558	   United Kingdom

1560	   Email: tjc@ecs.soton.ac.uk

1562	   Lee Howard
1563	   Time Warner Cable
1564	   13820 Sunrise Valley Drive
1565	   Herndon, VA  20171
1566	   US

1568	   Phone: +1 703 345 3513
1569	   Email: lee.howard@twcable.com

1571	   Victor Kuarsingh
1572	   Rogers Communications
1573	   8200 Dixie Road
1574	   Brampton, Ontario
1575	   Canada

1577	   Email: victor.kuarsingh@rci.rogers.com
1578	   Yanick Pouffary
1579	   Hewlett Packard
1580	   950 Route Des Colles
1581	   Sophia-Antipolis  06901
1582	   France

1584	   Email: Yanick.Pouffary@hp.com

1586	   Eric Vyncke
1587	   Cisco Systems
1588	   De Kleetlaan 6a
1589	   Diegem  1831
1590	   Belgium

1592	   Phone: +32 2 778 4677
1593	   Email: evyncke@cisco.com