IPv6 High Availability

IPv6 is a network-layer replacement for IPv4

IPv6 does not solve all the problems experienced with IPv4. Issues experienced with multihoming and Network Address Translation ( NAT ) still exist in IPv6. Locator/ID Separation Protocol (LISP) solves the problem of multihoming not IPv6 and Network Address Translation ( NAT ) is still needed for load balancing. The main change with IPv6 is longer addresses. We now have 128 bits to play with, opposed to 32 bits with IPv4.

Increasing bits means we cannot transport IPv6 packets using existing routing protocols. Some protocols like ISIS, EIGRP, and BGP support address families offering multiprotocol capabilities. Protocols that support address families made it easy to enable IPv6 with IPv6 extended address families. Other protocols such as OSPF were too tightly coupled with IPv4 and a complete protocol redesign was required to support IPv6. Including new LSA types, flooding rules and internal packet formats.

 

IPv6

IPv6

 

IPv6 uses Internet Control Message Protocol version 6 ( ICMPv6 ) and it acts like a control plane for the v6 world. IPv6 Neighbor Discovery ( ND ) replaces IPv4 Address Resolution Protocol ( ARP ). In PPP’s IPCP, we now have IPv6 IPCP. IPCP in IPv6 does not negotiate the endpoint address like it does with IPv4 IPCP. IPv6 IPCP just negotiating the use of protocols.

 

IPv6 Security & IPv6 Happy Eyeballs

Few things to keep in mind when deploying mission-critical applications in an IPv6 environment. Big problems arise from deployments of multiprotocol networks i.e dual stacking IPv4 and IPv6 on the same host. Best practices are easily forgotten when you deploy IPv6. For example, network implementations forget to add IPv6 access-lists to LAN interfaces and to access-lists VTY lines to secure device telnet access.

Always implement IPv6 first hop security mechanisms such as RA guard and source address validation. In an IPv4 world, we have IP source guard, ARP guard, DHCP snooping. Existing IPv4 security measures are available with corresponding IPv6 counterparts, you just need to make the switches support these mechanisms. And in virtual worlds, all these features are implemented on Hypervisor.

First problem we experience with dual stack networks is that the same Application can run over IPv4 and IPv6 and application transports (either IPv4 & IPv6 transports) could change dynamically without any engineering control i.e application X is available over IPv4 one day and dynamically changes to IPv6 the next day. The dynamic changing between IPv4 and IPv6 transports is known as the happy eyeballs effect. Different Operating Systems (Windows, Linux) may react differently to this change and no single operating system reacts the same. Having IPv4 and IPv6 sessions established ( almost ) in parallel introduces major layers of complexity to network troubleshooting and is non-deterministic. Designers should always attempt to design with simplicity with determinism in mind.

Try to avoid dual stack at all costs due to its non-deterministic and happy eyeballs effect. Disable IPv6 unless you need it or just make sure that the connected switches only pass IPv4 and not IPv6.

 

IPv6 High Availability Components

High availability is not just a network function. It goes deep into the application architecture and structures. Users should get the most they can get, regardless of the network being operational. The Issue we have designing end-to-end network is that we usually do not control the first hop between the user and the network. For example, a smart phone connecting to 4G to download a piece of information. We do not control the initial network entry points. Application developers are changing the concepts of high availability methods within the application. New applications are now carrying out what is known as graceful degradation in an effort to be more resilient to failures. Scenarios where there is no network, graceful degradation permits some local action for users. For example, if the database server is down, users may still be able to connect but not perform any writing to the database.

 

First Hop HA Mechanism 

You can configure static or have an automatic configuration with Stateless Address Autoconfiguration ( SLAAC  ) or use Dynamic Host Configuration Protocol ( DHCP ). Many prefer to use SLAAC. But for security or legal reason you need to know exactly what address you are using for what client forces you down the path of DHCPv6. IPv6 security concerns exist and clients may set addresses manually and circumvent DHCPv6 rules.

IPv6 Parameters

IPv6 Basic Communication

Whenever a host starts, it creates a IPv6 link-local address from interface Media Access Control Address ( MAC ) address. Nodes attempt to figure out if anyone else is trying to use that address and duplicate address detection ( DAD ) is carried out. The host sends out Router Solicitation ( RS ) from its link-local to determine the routes on the network. All IPv6 routers respond with Router Advertisement ( RA ).

IPv6 Communications 

IPv6 Flags

Every IPv6 prefix has a number of flags. One type of flag configured with all prefixes is the “A” flag. “A” flag enables hosts to generate its own IPv6 address on that link.  If “A” flag is set, the server may generate another IPv6 address ( in additional to a static address ). Resulting in servers having a link-local address, static address and auto-generated address. Numerous IPv6 addresses will not affect inbound session as inbound sessions can accept traffic on all IPv6 addresses. However, complications may arise when the server establishes sessions outbound and this can be unpredictable. To make sure this does not happen, ensure the A flag is cleared on IPv6 subnets.

RA messages can also indicate more information available, for example when the IPv6 host sends DHCP information request. This is indicated with the “O” flag in RA message. Usually needed to find out who DNS server is.

Every prefix has two flags; “A” and “L” flag. When “L” flag is set, two hosts can communicate directly, even if they are not on the same subnet ( router is advertising two subnets ). Allowing hosts to communicate directly. For example, if Host A and Host B are on same or in different subnets and routing device advertises the subnet without “L” flag, absence of the L flag tells the hosts not to communicate directly. All traffic goes via the router. Even if both hosts are in the same subnet.

If you are running an IPv4 only subnet and an intruder compromises the network and starts to send RA messages. All servers will auto configure. The intruder can advertise itself as IPv6 default router and IPv6 DNS server. Once the IPv6 attackers hits the default routers it totally owns the subnet and can do whatever it wants with that traffic. Take note with the “L” flag cleared, all the traffic will go through the intruders device. Basically, intercepting everything.

 

First Hop High Availability

Multi-Chassis Link Aggregation ( MLAG ) and switch stack technology are the same with IPv4 and IPv6. No changes to Layer 2 switches. Obviously, you need to implement changes at Layer 3.

Routers advertise their presence with RA messages and host behavior will vary from one Operating Systems to the other. It will either use the first valid RA message received and load balance between all first-hop routers. RA-based failures are appropriate for convergence around 2 to 3 seconds. Possible to tweak this by setting RA timers. Minimum RA interval is 30 msec and minimum RA lifetime is 1 second. Avoid low timer values as RA based fail over consumes CPU cycles to process.

 

RA Failover

RA Failover

 

If you have stricter-convergence requirements, implement HSRP or VRRPv3 as the IPv6 first-hop redundancy protocol. It works the same way as it did in version 2. The master is the only one sending RA messages. All hosts send traffic to VRRP IP address, which is resolved to the VRRP MAC address. Sub-second convergence is possible.

 

VRRPv3

VRRPv3

 

Load balancing between two boxes is possible. You could use the old trick and configure two VRRP groups to server-facing subnets. The implementation includes multiple VRRP groups configured on the same interface with multiple VRRP masters ( one per group ). Instead, of having one VRRP Master sending out RA advertisement, we now have multiple masters and each master sends RA messages with it groups IPv6 and virtual MAC address. The host will now receive two RA messages and can do whatever the OS supports. Arista EOS has a technology known as Virtual ARP: both Layer 3 devices will listen to the same IPv6 MAC address and whichever ones get the packet will process it.

 

 

About Matt Conran

Matt Conran has created 169 entries.

Leave a Reply