6Sense: Generating New Possibilities in the New Internet.
Produced by: IPv6 Summit, Inc.

Enterprise & Service Provider Solutions for Merged IPv4/IPv6 Network Services
by Foundry Networks

As service providers and enterprises add IPv6 applications to their networks, it is imperative that the networks be designed and built to efficiently support the simultaneous use of both IPv4 and IPv6. To support this, Foundry Networks has developed a set of dual protocol networking solutions that have been designed with embedded support for the high-speed switching and routing of IPv4 and IPv6 traffic, as well as the IPv6 transition mechanisms that have become popular in the industry.

In addition, two pieces that are frequently overlooked in the design of dual-protocol networks, security and management have been embedded in Foundry's IPv6 networking solutions. The first is a set of extensions to provide IPv6 aware VLANs and access control lists. The second is a high-speed implementation of the sFlow RFC. This article discusses the features necessary to provide highly functional, dual-protocol networks that provide instrumentation for network-wide visibility and extended support for security.

Dual-Protocol Network Transition Methodologies
Many of the early discussions on IPv6 focused on the benefits versus IPv4, and, recently, on the applications that will drive the adoption of IPv6. But events have shifted the discussion, as the DoD and other worldwide governmental agencies have made public statements not only endorsing IPv6, but mandating that equipment be IPv6 ready. Because of these events, and market forces (especially in Asia), it is now clear that IPv6 will become the dominant protocol over time. The question is how do we build and instrument networks to effectively allow for the support of both IPv4 and IPv6 applications and infrastructure when we know that IPv4 will still be around for some time?

Clearly there must be a transition that allows for IPv6 to co-exist with IPv4 network equipment and applications. There are a range of options available to implement this transition. One option is for IPv6 application islands to be tunneled over IPv4 networks. This allows IPv6 applications to talk to other IPv6 applications, but given there are so many existing IPv4 applications, this has its limitations. The other option is for a gateway to be used to interconnect IPv4 and IPv6 applications. There are a number of methods for providing this gateway service. All have performance limitations and are difficult to manage. There are also methods for providing services for the coexistence of IPv6 applications and nodes on actual IPv4 networks. For example, ISATAP allows an IPv6 node to operate on an IPv4 network.

Regardless of which of these technologies and methodologies one chooses, given the sudden push for IPv6, many of the operators are now looking for core networking equipment that provides scalable, high-performance, highly-reliable IPv4 and IPv6 support. As they upgrade their networks, they must be able to support both IPv4 and IPv6 switching and routing in high-speed hardware, they must have embedded support for IPv6 transition technology, and they must have underlying support for the security and manageability services needed to insure the operational viability of their networks.

Delivering Core IPv6 Services for Dual-Protocol Networks
In order to meet the needs of the growing number of operators that are upgrading their networks to support new services like IPv6, Foundry Networks provides ASIC-based high-performance IPv6 forwarding, full IPv6 routing, as well as transition technology to support dual-protocol networks. To address the needs for security and manageability, often overlooked by many networking vendors, Foundry supports extended security features for IPv6, as well as our embedded sFlow technology. The sFlow IPv6 features in our Enterprise based FastIron Edge & Chassis products, as well as our Service Provider NetIron products; provide instrumentation for network wide visibility. This technology is important to successfully monitor, manage, account and secure both IPv4 and IPv6 traffic and ensure smooth operation of the services and applications for both protocols.

Foundry's FastIron & NetIron product families provide full support for hardware-based Pv4 and IPv6 switching. The key to this technology is that both IPv4 and IPv6 forwarding is done using an advanced hardware-based dual-stack architecture, delivering wire-speed packet forwarding. For enterprise aggregation and core density and performance, the FastIron RX family of products provides high-speed IPv4 and v6 routing and switching. For highly scalable operator environments, the NetIron IMR and XMR family’s support FDR (Foundry Direct Routing), which provides large scale hardware based routing with the capacity to support many copies of the entire Internet routing table in hardware.

To control the high-speed dataplane, Foundry's IronWare operating system supports a range of both unicast and multicast IPv4 and IPv6 routing protocols. This includes:

  • IPv4 unicast - RIP, OSPFv2, BGP-4, IS-IS
  • IPv4 multicast - DVMRP, MSDP, PIM-SM, PIM-SSM, PIM-DM
  • IPv6 unicast - RIPng, OSPFv3, BGP-4+, IS-ISv6
  • IPv6 multicast - PIM-SSM, MLDv2

For service providers, it is critical that next generation network equipment have high-density port configurations, be extremely reliable & resilient, and support high-speed IPv6 forwarding. In addition, supporting protocols like IS-ISv6, PIM-SSMv6, and BGP-4+ are needed to ensure that new services are delivered reliably and managed efficiently.

In addition to the routing protocols, embedded support for IPv4-to-IPv6 transition software must be provided as part of the edge & core infrastructure. This is especially important in enterprise environments where new IPv6 applications must coexist with existing IPv4 applications and networks. To this end, Foundry provides three different types of tunneling to facilitate the migration to IPv6 in an IPv4 world. This includes 6to4, as well as both configured and automatic tunnels.

It is in the area of access control and security where enterprises & network operators frequently have little visibility or control of their operations. To provide for this control, Foundry's IronWare provides IPv6 protocol VLANs, which allow the creation of separate IPv4 and IPv6 broadcast domains. IronWare also supports wire-speed extended IPv6 access control lists (ACLs). This includes the ability to identify traffic based on source/destination IP address, IP protocol type, TCP/UDP port, IP precedence or ToS values. This also allows selective ACL logging and can scale up to 120,000 ACLs.

Embedded sFlow for Network Wide Visibility
Foundry has extended its scalable, ASIC-based, wire-speed sFlow (RFC 3176) monitoring and accounting solution for use in an IPv6 network. This feature allows enterprises and service providers with IPv6 traffic to gather a variety of sophisticated network statistics and information for capacity planning and realtime monitoring purposes. The data collected using sFlow can be used to help in the transition from IPv4 to IPv6. For capacity purposes, the data can assist in deciding where additional IPv6 infrastructure should be installed, it can help with IPv6 application awareness, as well as to validate service levels and priorities, and assist in security audits.

Conclusion
To meet the growing need to provide operators with core networking equipment that supports high-performance, feature rich IPv4 and IPv6 switching and routing, Foundry's Enterprise FastIron and Service Provider NetIron family of networking products supports high-speed IPv6 packet forwarding; delivers a full set of IPv6 routing and security features; offers sophisticated tunneling options; and provides extended sFlow technology for managing, monitoring and auditing IPv6 traffic. Together these provide a unique foundation and platform that allows enterprises and operators to deliver merged, interoperable, high-performance IPv4 and IPv6 services.

.