6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

Managing the IPv6 Transition:
Core Equipment for Merged IPv4/IPv6 Network Services
Foundry Networks

 

As service providers and enterprises add IPv6 applications to their networks, it is imperative that the networks be designed and built to efficiently support the simultaneous use of both IPv4 and IPv6. To do this, Foundry Networks NetIron products have been designed with embedded support for the high-speed processing of both IPv4 and IPv6 traffic, as well as the IPv6 transition mechanisms that have become popular in the industry. In addition, two pieces that are frequently overlooked in the design of dual-protocol networks, security and management, have been embedded in the NetIron products. The first is a set of extensions to provide IPv6-aware VLANs and access control lists. The second is a high-speed implementation of the sFlow RFC. This article discusses the features necessary to provide highly functional, dual-protocol networks that provide instrumentation for network-wide visibility and extended support for security.

Dual-Protocol Network Transition Methodologies

Many of the early discussions on IPv6 focused on the benefits versus IPv4, and recently on the applications that will drive the adoption of IPv6. However, events have shifted the discussion, since the DoD and other worldwide governmental agencies have made public statements not only endorsing IPv6, but mandating that equipment be IPv6-ready. Because of these events, and market forces (especially in Asia), it is now clear that IPv6 will become the dominant protocol over time. The question is how do we build and instrument networks to effectively allow for the support of both IPv4 and IPv6 applications and infrastructure when we know that IPv4 will still be around for some time?

Clearly there must be a transition that allows for IPv6 to co-exist with IPv4 network equipment and applications. There are many options to implement this transition. One option is for IPv6 application islands to be tunneled over IPv4 networks. This allows IPv6 applications to talk to other IPv6 applications, but given there are so many existing IPv4 applications, this option has its limitations. The other option is to use a gateway to interconnect IPv4 and IPv6 applications. There are a number of methods for providing this gateway service. All have performance limitations and are difficult to manage. There are also methods for providing services for the coexistence of IPv6 applications and nodes on actual IPv4 networks. For example, ISATAP allows an IPv6 node to operate on an IPv4 network.

Regardless of which of these technologies and methodologies one chooses, given the sudden push for IPv6, many of the operators are now looking for core networking equipment that provides scalable, high-performance, highly reliable IPv4 and IPv6 support. As they upgrade their networks, operators must be able to support both IPv4 and IPv6 switching and routing in high-speed hardware, they must have embedded support for IPv6 transition technology, and they must have underlying support for the security and manageability services needed to ensure the operational viability of their networks.

Delivering Core IPv6 Services for Dual-Protocol Networks

 In order to meet the needs of the growing number of operators that are upgrading their networks to support new services like IPv6, Foundry Networks provides ASIC-based, high-performance IPv6 forwarding, full IPv6 routing, as well as transition technology to support dual-protocol networks. To address the needs for security and manageability, often overlooked by many networking vendors, Foundry supports extended security features for IPv6, as well as our embedded sFlow technology. The sFlow IPv6 features in our core NetIron products provide instrumentation for network wide visibility. This technology is important for successfully monitoring, managing, accounting, and securing both IPv4 and IPv6 traffic and ensuring smooth operation of the services and applications for both protocols.

Foundry's NetIron product family provides full support for both hardware-based IPv4 and IPv6 switching. The key to this technology is that both IPv4 and IPv6 forwarding is done using an advanced hardware-based, dual-stack architecture, delivering wire-speed packet forwarding. For highly scalable operator environments, the NetIron supports FDR (Foundry Direct Routing), which provides large-scale, hardware-based routing with the capacity to support four times the entire Internet routing table in hardware.
To control the high-speed dataplane, the NetIron IronShield operating system supports a range of both unicast and multicast IPv4 and IPv6 routing protocols. This includes:

  • IPv4 unicast - RIP, OSPFv2, BGP-4, IS-IS

  • IPv4 multicast - DVMRP, MSDP, PIM-SM, PIM-SSM, PIM-DM

  • IPv6 unicast - RIPng, OSPFv3, MP-BGP, IS-IS

  • IPv6 multicast - PIM-SSM, MLD

For service providers, it is critical that next generation network equipment have high-density port configurations, be extremely reliable and resilient, and support high-speed IPv6 forwarding, but this is not enough. Supporting protocols like IS-ISv6, PIM-SSMv6, and MP-BGP are needed to ensure that new services are delivered reliably and managed efficiently.

In addition to the routing protocols, embedded support for the transition technology software must be provided as part of the core infrastructure. To this end, Foundry provides three different types of tunneling to facilitate the migration to IPv6 in an IPv4 world. This includes 6to4, as well as both configured and automatic tunnels.

It is in the area of access control and security where network operators frequently have little visibility or control of their operations. To provide for this control, Foundry provides IPv6 protocol VLANs, which allow the creation of separate IPv4 and IPv6 broadcast domains. IronShield also supports wire-speed extended IPv6 access control lists (ACLs). This includes the ability to identify traffic based on source/destination IP address, IP protocol type, TCP/UDP port, IP precedence, or ToS values. This also allows selective ACL logging and can scale up to 40,000 ACLs.

Embedded sFlow for Network Wide Visibility

Foundry has extended its scalable, ASIC-based, wire-speed sFlow (RFC3176) monitoring and accounting solution for use in an IPv6 network. This feature allows operators with IPv6 traffic to gather a variety of sophisticated network statistics and information for capacity planning and real-time monitoring purposes. The data collected using sFlow can be used to help in the transition from IPv4 to IPv6. For capacity purposes, the data can assist in deciding where additional IPv6 infrastructure should be installed. sFlow data can help with IPv6 application awareness, validate service levels and priorities, and assist in security audits.

Conclusion

To meet the growing need to provide operators with core networking equipment that supports high-performance, feature-rich IPv4 and IPv6 switching and routing, Foundry's NetIron products support high-speed IPv6 packet forwarding, deliver a full set of IPv6 routing and security features, offer sophisticated tunneling, and provide extended sFlow technology for managing, monitoring, and auditing IPv6 traffic. Together, these features provide a unique foundation and platform that allows operators to deliver merged, interoperable, high-performance IPv4 and IPv6 services.