One thing to keep in mind is that your IPv6 router and IP router can be completely different devices. There is no need to forklift your firewall or current setup if you can easily add an IPv6 router to the network. Using multiple ISPs is still something that is a bit tricky. A lot of people have gotten used to the Dual-WAN Firewall appliance boxes that accept connections from two ISPs and handle the failover, depending on NAT to maintain the functionality of the Internal network. Larger organizations can arrange to have IPv6 transit and announce a single prefix over BGP. Most providers won't want to see this setup for an SMB so they're out of luck. One thing that has changed, though, is Metro Ethernet offerings have gotten a lot better. I would say the most painless way to go would be to use one ISP for L3, and two ME providers to give diverse L2 paths to that L3 ISP. It means dealing with more companies, and moving failover to L2, but it's pretty rare that the cause of a connection problem is at the ISP these days (it's more often a bad connection between you and the ISP), so just having redundancy at L2 might be enough. Sadly, that model doesn't really exist in the US right now, and it might take quite a bit of work convincing providers to coordinate to make it all work. The other option, which was the intent of IPv6 when being designed (but that was 10 years ago or so) was that every PC would have a separate address from each ISP. In this situation you could depend on ULA (local addressing) for access to all internal services so that if one of the global prefixes goes away it doesn't impact internal operation, but it does require a device to kind of coordinate that- such a device doesn't exist yet, and there are some issues with getting PCs to handle address selection correctly. I suspect if this does happen (and it could, it's not a horrible model) it will take a few more years before it's "easy". It's too bad they axed the site local scope for this kind of environment. For now, I would recommend just going with a single IPv6 provider since I have yet to encounter IPv6-only content that is mission critical. That will at least give you access to the IPv6 internet now, but give the IPv6 market time to come around to meet the needs of SMB and wanting redundancy in IPv6 access. I'm not aware of any appliance that does a good job at IPv6, yet... If it were me I would build up a Linux box as a IPv6 firewall, router, etc. It's really too bad that there isn't such an appliance yet. You could just use a Cisco ISR (like an 1841) as your IPv6 on a stick router, but the problem is that you really want to keep in mind that once you give out global addresses to hosts they're not behind your NAT firewall for IPv6. So you'll want to implement some sort of stateful firewall for IPv6, or enable host-based IPv6 firewalls. We've decided to disable SLAAC (State-Less Address Auto-Configuration) on almost all our IPv6 networks and use DHCPv6 exclusively. This allows us to only respond with DHCPv6 to the hosts we want to get an IPv6 address instead of enabling it network-wide and crossing your fingers. The disadvantage here is that DHCPv6 client support is still limited (OS X has none for example). The argument is that IPv6 isn't mission critical yet, so we're waiting to see if vendors will come around and include DHCPv6 client support in the future. Another thing you want to do is block rogue RA. RA-Guard is the feature name, but nobody has a working implementation yet. If you have switches that can do port-based access-lists with IPv6 you can create ingress filters to block out incoming RA on a per-port basis which is what we have done. It works rather well. On Thu, Oct 21, 2010 at 12:29 PM, Allen Smith <lazlor@lotaris.org> wrote:
Hi All,
I've inherited a small network with a couple of Internet connections through different providers, I'll call them Slow and Fast.
We use RFC 1918 space internally and have a pair of external firewalls that handle NAT and such.
Due to internal policy (read money), some users default to the Slow connection and some default to Fast. Using probes and policy routing, a failure of one of the ISPs is generally transparent, outside of the usual session resets for things like ssh or remote control sessions).
Looking forward to the next 12 months, we may have clients that are living in IPv6 space. Our ISPs are happy to give us IPv6 allocations and our network gear vendors either have GA IPv6 code now or will soon.
We have been somewhat spoiled by our firewall/NAT boxes, the stuff just works for our needs and the combination of NAT and policy routing keeps people on the circuits they are paying for. Am trying to decide how I would implement this kind of policy in the new world of globally trackable^H^H^H^H^H^H^H routable IPs for my desktops. Solutions seem to be:
1) Purchase some BGP capable routers, grab PI space. Here I can obv choose outbound path, but we are typical in that our inbound to outbound is 6 or 7 to 1.
2) Assign PA space from the ISPs to the appropriate devices. What do I do when I loose a provider?
3) Make loud noises to my firewall vendor to include equivalent NAT/ISP failover functionality (even 6to6 NAT would be fine).
Anyway, another sample of 1, but I do work for a managed services provider and see many small orgs facing similary choices. I personally am happy to use globally routable addresses and will work through the privacy and perceived security implications of NAT/nonat, I just want the same ease of use and flexibility I have today in a SMB environment.
Cheers, -Allen
-- Ray Soucy Epic Communications Specialist Phone: +1 (207) 561-3526 Networkmaine, a Unit of the University of Maine System http://www.networkmaine.net/