This discussion is locked

ASK THE EXPERT : World IPv6 Day: What Should You Do?

Answered Question
May 17th, 2011

with Read the bio

Welcome to the Cisco Support Community Ask the Expert conversation. This is an opportunity to learn about dual IPv6 and IPv6 stacked environment with Cisco subject matter expert Phil Remaker who can also explain typical failure modes in IPv6 transport and DNS that might be experienced. Phil will introduce some websites you can use to test your IPv6 connectivity in advance of World IPv6 Day and will be able to share with you about IPv6 connectivity options for websites and end users. is a distinguished support engineer at Cisco and is recognized for his wide range of knowledge and skills in Cisco products, networking protocols, and systems. He currently works as a technical leader in the Cisco Services Technical Services organization focusing on vexing problems around security, software release, and product manageability. You can watch the webcast here. You can also read all the questions that were asked and responded during the live webcast here.


Remember to use the rating system to let Phil know if you have received an adequate response.
 
Phil might not be able to answer each question due to the volume expected during this event. Remember that you can continue the conversation on the discussion forum shortly after the event. This event lasts through May 27, 2011. Visit this forum often to view responses to your questions and the questions of other community members.

I have this problem too.
0 votes
Correct Answer by Phillip Remaker about 2 years 10 months ago

Hello Xiao,

'Implementing VoIP for IPv6' is a reference for using IPv6 features in Cisco Voice Gateway products.

If your 3 devices are just acting as IPv6 packet routers not as VoIP endpoints, code older than 12.4(22) should be OK.

However, what worries me is that you report the version as 12.4(13r), which is not an IOS version but a ROM Monitor version.   Please issue the "show version" command and look for the IOS Software version and not the ROM monitor version.

Will you be using the Cisco devices as voice gateways?

-Phil Remaker

Correct Answer by Phillip Remaker about 2 years 10 months ago

Thanks to all who attended and asked questions.  I will do my best to answer them based on what I understand the question to mean.  If I am not clear, please rephrase the question or ask another question.


Question:
Is there a way to test IPv6 tunnels if your service provider is not providing IPv6?

Yes.  You can use a number of free public tunnel broker services.  Three of the most popular are Hurricane Electric, SiXXS and Freenet6.  You can find a longer list of tunnel broker providers at http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers.  You can also use 6to4 or Teredo, but you can expect a more predictable experience from a Tunnel Broker.  See also: https://supportforums.cisco.com/docs/DOC-14969

Question:

Do Cisco ASA's support tunnelbroker services from HE?

This functionality was just added in 8.3, but I'm not yet aware of a Cisco authored tech note on the topic.  I did find an external site discussing it at http://efreedom.com/Question/2-147899/Cisco-ASA-Static-IPv6-Tunnel-Endpoint and I invite you to write up your own tech note on the support communities when you get it working.  This topic may merit an independent thread!

Correction: 5/20/2011 - several folks privately pointed out to that the mentioned article above refers only to passing IP protocol 41 through the firewall from a tunnel endpoint inside the firewall.  As of this writing, the ASA does not have the capability to terminate a 6in4 tunnel. 

Question:

How can I buy an AS & PI ipv6 subnet?

Contact your local Regional Internet Registry (RIR).  For example, the American Registry for Internet Numbers (ARIN) has their fee schedule for AS and PI subnets at https://www.arin.net/fees/fee_schedule.html.  The other RIRs are listed at http://en.wikipedia.org/wiki/Regional_Internet_registry

Question:

Thoughts comparing dual stack deployment versus native IPv6 w/ NAT64/DNS64? Considering going with the latter (I'm starting the testing).   

It depends a lot on your environment.  If the devices are mostly under your administrative control and still have to contact a lot of IPv4 devices, dual stack still makes the most sense.

If you are facing serious IPv4 address space constraints or the devices will primarily speak to other IPv6 or you want to be able to take advantage of the simplicities of an all IPv6 environment the, NAT64 may be the better choice.

Be aware that at this point, the Cisco NAT64 implementations are 1:1 (stateless) meaning that each IPv6 address reaching out an IPv4 device needs to be matched to a dedicated IPv4 address.  Presumably, a 1:many (stateful) NAT64 implementation will eventually become available.

In the end, the decision rests on your goals in your own network.  Ivan Pepelnjak makes a good case for NAT64 in a recent blog at http://blog.ioshints.info/2011/05/nat64-its-all-about-legacy-content.html, but most enterprises I see are opting for dual stack since they have well established IPv4 processes.  Even so, I know one large enterprise that prefers all IPv6 internally for the ease of subnet migration afforded by IPv6 as well as the ability to do away with stateful DHCP and IPv4 subnet management issues. For them, NAT64/DNS64 is the best path to access legacy IPv4 content.

Question:

Will 6to4 clients be impacted if we don't route IPv6 with our Inet carrier?


The beauty (horror?) of 6to4 is that it can run completely on an all-IPv4 carrier infrastructureIn fact, if you have a Windows Vista (o later) end host that gets assigned a global (non-RFC1918) address, it will automatically build a 6to4 tunnel to the nearest 6to4 relay using the well known anycast address of  192.0.2.42.  Similarly, some home gateways will automatically form 6to4 tunnels without end-user intervention.  So, even if your carrier does not run IPv6, any device that can reach the anycast address of 192.0.2.42 and pass IP protocol 41 can form a 6to4 tunnel.  In summary, 6to4 clients do not need IPv6 on the carrier as long as they can reach a 6to4 relay over IPv4

Question:
Do I need to change configuration in my router to route to ipv6 address host?

If you want to run IPv6 natively on the LAN, you will need to configure IPv6 on your router.  However, it is possible for IPv4 speaking hosts to directly terminate IPv6 through IPv4 so that the router does not NEED to participate.  However, for the most seamless experience to the end user, IPv6 should be enabled on the router interfaces.

Question:

Roughly what percentage of public networks do not yet support ipv4?? Conversely, does common modern datacenter equipment already support ipv6 and come configured to use it by default?

I would estimate that zero percent of public networks do not support IPv4.  Assuming the question intended to say IPv6, this question can be answered several ways.  Cisco's own Eric Vyncke tracks the number of IPv6 capable web sited by top level domain at http://www.vyncke.org/ipv6status/.  If you mean the number of service providers that can offer a native IPv6 connection, http://www.sixxs.net/faq/connectivity/?faq=native provides a list.  The "BGP Weathermap at http://bgpmon.net/weathermap.php?inet=6 shouls the number of IPv6 prefixes appearing on a per-country basis, and http://www.cidr-report.org/v6/as2.0/ provides Geoff Huston's report on the number of autonomous systems carrying IPv6 routes (prefixes).

As for the second part of the question, it depends on your definition of "Modern Datacenter Equipment."  My estimation is "not enough!!"  Clearly, all layer 2 switches "support" IPv6, but layer-crossing features like ARP and DHCP spoofing defense take different form when using IPv6 (collectively, the feature set is called "First Hop Security").  Industry wide, vendors are striving to get more IPv6 features in more places as fast as possible.  Which features do you most need in your modern datacenter equipment?

5/20/2011: Corrected erroneous statement on ASA tunnel termination.

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (2 ratings)
ciscomoderator Thu, 05/19/2011 - 20:04

Hello Phil,

Can you kindly reply to these questions that were asked by the live audience during the event but we did not have time to answer?

Question: ­

Is there a way to test IPv6 tunnels if your service provider is not providing IPv6?­

Question:

­Do Cisco ASA's support tunnelbroker services from HE?­

Question:

­How can I buy an AS & PI ipv6 subnet?­

Question:

­Thoughts comparing dual-stack deployment versus native IPv6 w/ NAT64/DNS64? Considering going with the later (I'm starting the testing).­

Question:

Will 6to4 clients be impacted if we don't route IPv6 with our Inet carrier?­

Question:

Do I need to change configuration in my router to route to ipv6 address host?­

Question:

­Roughly what percentage of public networks do not yet support ipv4?? Conversely, does common modern datacenter equipment already support ipv6 and come configured to use it by default?­

Thank you,

The CSC Moderator

Correct Answer
Phillip Remaker Fri, 05/20/2011 - 00:10

Thanks to all who attended and asked questions.  I will do my best to answer them based on what I understand the question to mean.  If I am not clear, please rephrase the question or ask another question.


Question:
Is there a way to test IPv6 tunnels if your service provider is not providing IPv6?

Yes.  You can use a number of free public tunnel broker services.  Three of the most popular are Hurricane Electric, SiXXS and Freenet6.  You can find a longer list of tunnel broker providers at http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers.  You can also use 6to4 or Teredo, but you can expect a more predictable experience from a Tunnel Broker.  See also: https://supportforums.cisco.com/docs/DOC-14969

Question:

Do Cisco ASA's support tunnelbroker services from HE?

This functionality was just added in 8.3, but I'm not yet aware of a Cisco authored tech note on the topic.  I did find an external site discussing it at http://efreedom.com/Question/2-147899/Cisco-ASA-Static-IPv6-Tunnel-Endpoint and I invite you to write up your own tech note on the support communities when you get it working.  This topic may merit an independent thread!

Correction: 5/20/2011 - several folks privately pointed out to that the mentioned article above refers only to passing IP protocol 41 through the firewall from a tunnel endpoint inside the firewall.  As of this writing, the ASA does not have the capability to terminate a 6in4 tunnel. 

Question:

How can I buy an AS & PI ipv6 subnet?

Contact your local Regional Internet Registry (RIR).  For example, the American Registry for Internet Numbers (ARIN) has their fee schedule for AS and PI subnets at https://www.arin.net/fees/fee_schedule.html.  The other RIRs are listed at http://en.wikipedia.org/wiki/Regional_Internet_registry

Question:

Thoughts comparing dual stack deployment versus native IPv6 w/ NAT64/DNS64? Considering going with the latter (I'm starting the testing).   

It depends a lot on your environment.  If the devices are mostly under your administrative control and still have to contact a lot of IPv4 devices, dual stack still makes the most sense.

If you are facing serious IPv4 address space constraints or the devices will primarily speak to other IPv6 or you want to be able to take advantage of the simplicities of an all IPv6 environment the, NAT64 may be the better choice.

Be aware that at this point, the Cisco NAT64 implementations are 1:1 (stateless) meaning that each IPv6 address reaching out an IPv4 device needs to be matched to a dedicated IPv4 address.  Presumably, a 1:many (stateful) NAT64 implementation will eventually become available.

In the end, the decision rests on your goals in your own network.  Ivan Pepelnjak makes a good case for NAT64 in a recent blog at http://blog.ioshints.info/2011/05/nat64-its-all-about-legacy-content.html, but most enterprises I see are opting for dual stack since they have well established IPv4 processes.  Even so, I know one large enterprise that prefers all IPv6 internally for the ease of subnet migration afforded by IPv6 as well as the ability to do away with stateful DHCP and IPv4 subnet management issues. For them, NAT64/DNS64 is the best path to access legacy IPv4 content.

Question:

Will 6to4 clients be impacted if we don't route IPv6 with our Inet carrier?


The beauty (horror?) of 6to4 is that it can run completely on an all-IPv4 carrier infrastructureIn fact, if you have a Windows Vista (o later) end host that gets assigned a global (non-RFC1918) address, it will automatically build a 6to4 tunnel to the nearest 6to4 relay using the well known anycast address of  192.0.2.42.  Similarly, some home gateways will automatically form 6to4 tunnels without end-user intervention.  So, even if your carrier does not run IPv6, any device that can reach the anycast address of 192.0.2.42 and pass IP protocol 41 can form a 6to4 tunnel.  In summary, 6to4 clients do not need IPv6 on the carrier as long as they can reach a 6to4 relay over IPv4

Question:
Do I need to change configuration in my router to route to ipv6 address host?

If you want to run IPv6 natively on the LAN, you will need to configure IPv6 on your router.  However, it is possible for IPv4 speaking hosts to directly terminate IPv6 through IPv4 so that the router does not NEED to participate.  However, for the most seamless experience to the end user, IPv6 should be enabled on the router interfaces.

Question:

Roughly what percentage of public networks do not yet support ipv4?? Conversely, does common modern datacenter equipment already support ipv6 and come configured to use it by default?

I would estimate that zero percent of public networks do not support IPv4.  Assuming the question intended to say IPv6, this question can be answered several ways.  Cisco's own Eric Vyncke tracks the number of IPv6 capable web sited by top level domain at http://www.vyncke.org/ipv6status/.  If you mean the number of service providers that can offer a native IPv6 connection, http://www.sixxs.net/faq/connectivity/?faq=native provides a list.  The "BGP Weathermap at http://bgpmon.net/weathermap.php?inet=6 shouls the number of IPv6 prefixes appearing on a per-country basis, and http://www.cidr-report.org/v6/as2.0/ provides Geoff Huston's report on the number of autonomous systems carrying IPv6 routes (prefixes).

As for the second part of the question, it depends on your definition of "Modern Datacenter Equipment."  My estimation is "not enough!!"  Clearly, all layer 2 switches "support" IPv6, but layer-crossing features like ARP and DHCP spoofing defense take different form when using IPv6 (collectively, the feature set is called "First Hop Security").  Industry wide, vendors are striving to get more IPv6 features in more places as fast as possible.  Which features do you most need in your modern datacenter equipment?

5/20/2011: Corrected erroneous statement on ASA tunnel termination.

lixiao1212 Thu, 05/26/2011 - 07:58

Hi Phil,

I have a confusion to request for you which concerns about VoIP. In fact we built up a small IPv6 network in our school labrary, which made up with three routers with the routing protocol RIPv6, now the situation is that each computer can ping  successfully to other two ones. Then I should achieve VoIP under this environment, I set up one server that has installed asterisk who is version 1.8 under the subnet 2002:0:0:100:0/64, put two other clients under the subnet  2002:0:0:200:0/64, if I want to etablish a call between these two sides, whether i could use the document 'Implementing VoIP for IPv6' as the reference? I have checked that the IOS necessary is 12.4(22), but ours is 12.4(13r), should I have to upgrade it?

Any help I will appreciate!!

Best regards

LI Xiao

Correct Answer
Phillip Remaker Thu, 05/26/2011 - 22:30

Hello Xiao,

'Implementing VoIP for IPv6' is a reference for using IPv6 features in Cisco Voice Gateway products.

If your 3 devices are just acting as IPv6 packet routers not as VoIP endpoints, code older than 12.4(22) should be OK.

However, what worries me is that you report the version as 12.4(13r), which is not an IOS version but a ROM Monitor version.   Please issue the "show version" command and look for the IOS Software version and not the ROM monitor version.

Will you be using the Cisco devices as voice gateways?

-Phil Remaker

ciscomoderator Thu, 05/26/2011 - 11:35

Phil, Here are some other questions from the live event that need to be answered:

  1. We all thought it was difficult to deply IPV6 on the core, but that is the easy part. What about IPv6 deploymnet at the access layer?
  2. Is IPv6 more mangeablet that IPv4 base networks?
  3. How to enter the IPv4 in network address of PC?
  4. How to enter the IPv6 in network address of PC?
  5. What benefits would running IPv6 give an enterpise that has only one IPv4 connection to the Internet... besides WOW gaming?
Phillip Remaker Thu, 05/26/2011 - 22:47

Thanks for asking!

We all thought it was difficult to deploy IPV6 on the core, but that is the easy part. What about IPv6 deployment at the access layer?

I'm not sure I understand this question, since it depends on what aspects of the access layer.  Assuming you mean getting endpoints to be IPv6 capable, just have your routers provide ICMP router advertisement information and make sure your devices have IPv6 capable stacks.

You can find a comprehensive reference at http://www.cisco.com/en/US/docs/ios/ipv6/configuration/guide/ip6-addrg_bsc_con.html

I wrote a blog entry on the very basics of IPv6 addressing at http://blogs.cisco.com/borderless/ipv6-automatic-addressing/

I have some notes on endpoint IPv6 support at http://blogs.cisco.com/borderless/disable-ipv6/

If you are asking about getting IPv6 connectivity to the Internet, maybe http://blogs.cisco.com/borderless/how-to-get-ipv6-now/ will help.

Is IPv6 more manageable than IPv4 base networks?

In some ways, yes.  The depth of the address space makes it possible for devices to pick their own addresses without end-user intervention.  Many hosts can be placed on a flat subnet without worrying about exhausting the address space.  Managing subnet blocks on a DHCP server becomes a thing of the past.  Address management is remarkably easier.

Subnet re-addressing becomes easier, too.  Graceful subnet renumbering is possible by the protocol design and the abundance of address space, permitting two different subnets to exist on one subnet during the address deprecation process.

On the downside, not all network management tools (yet) support IPv6, and some management tools have a concept of "exactly one address per device."  The ability for an IPv6 device to have many addresses provides some interesting capabilities around privacy and policy enforcement, but management processes that fail to recognize such a capability may cause the network to seem less manageable.

How to enter the IPv4 in network address of PC?

How to enter the IPv6 in network address of PC?

This depends on the operating system.  In most modern operating systems, some form of a Network Control Panel exists in the GUI.  In most IPv6 cases, the device will automatically pick its own address. 

For command line configuration, Windows uses netsh, MacOS uses ipconfig, and Linux uses ifconfig or ip.

What benefits would running IPv6 give an enterprise that has only one IPv4 connection to the Internet... besides WOW gaming?

  • More address space!  Less time spent managing DHCP address pools, easy subnet renumbering.
  • No paying for static IPv4 addresses.  IPv6 subnets have nearly unlimited "outside" addresses.
  • Less time building NAT table translation entries and port forwarding to make up for the small address space.
  • Direct point-to-point desktop sharing (or file transfer) without relying on intermediate servers.
  • Windows Server 2008 SP2 and Windows Vista conduct all active Directory transactions by IPv6 if available.
  • NAT timeouts will not disrupt long standing but traffic idle connections (and NAT keepalives are no longer needed).
  • Features like Microsoft DirectAccess can provide direct point to point IPv6 connection between devices without having to manage VPN concentrators or Network Address Translation device configurations. 
  • Privacy addressing.  Devices can rotate their IPv6 address, making them harder to track in web server logs
  • Potential for improved efficiency and performance of peer-to-peer communication.  Currently, BitTorrent and WOW take advantage of this, but one can envision future inter- and intra- enterprise peer to peer apps may follow. Insert imagination here.

The biggest win for now still remains the sheer size of the address space, and the ability to bypass the use of NAT devices.  The ability to directly reach devices without application layer gateways or other "packet rewriters" opens the door for many future applications as IPv6 adoption increases.

Hey, I didn't like any of these answers!

Ask another question below, or post some clarifying information and I will do my best to develop a more satisfying answer.

Actions

Login or Register to take actions

This Discussion

Posted May 17, 2011 at 10:31 AM
Stats:
Replies:6 Avg. Rating:5
Views:3734 Votes:0
Shares:0

Related Content

Discussions Leaderboard