V6ops Working Group Enterprise Design Team INTERNET-DRAFT: draft-pouffary-v6ops-ent-v6net-02.txt OBSOLETES : draft-pouffary-v6ops-ent-v6net-01.txt Yanick Pouffary (Chair) Jim Bound (Editor) Hewlett Packard Yurie Rich Native6 Group Marc Blanchet Viagenie Tony Hain Paul Gilbert Cisco Scott Hahn Intel Margaret Wasserman Wind River Jason Goldschmidt Sun Microsystems Mathew Lehman Microsoft Aldrin Isaac Bloomberg December 2002 IPv6 Enterprise Networks Scenarios Status of this Memo This document is an Internet-Draft and is in full conformance with all provisions of Section 10 of RFC2026. Internet-Drafts are working documents of the Internet Engineering Task Force (IETF), its areas, and its working groups. Note that other groups may also distribute working documents as Internet- Drafts. Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet- Drafts as reference material or to cite them other than as "work in progress." The list of current Internet-Drafts can be accessed at http://www.ietf.org/ietf/1id-abstracts.txt The list of Internet-Draft Shadow Directories can be accessed at http://www.ietf.org/shadow.html. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 1] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 Abstract IPv6 will be deployed in Enterprise networks. This scenario has requirements for the adoption of IPv6. This document will focus upon and define: a set of technology scenarios that shall exist for the Enterprise network, the set of transition variables, transition methods, and tools required by different scenarios. The document using these definitions will define the points of transition for an Enterprise network. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 2] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 Table of Contents: 1. Introduction.................................................4 2. Requirements.................................................4 3. Terminology..................................................5 4. Enterprise Network Assumptions...............................6 5. Enterprise Network Scenarios Overview........................8 6. Enterprise Points of Transition Methods.....................10 6.1 M1: IPv4 Tunnels to Encapsulate IPv6.......................10 6.2 M2: IPv6 Tunnels to Encapsulate IPv4.......................10 6.3 M3: IPv6 NAT to Communicate with IPv4......................10 6.4 M4: IPv6 Native LANs.......................................11 6.5 M5: IPv6 Native Routing Domains............................11 6.6 M6: Dual Stack Nodes supporting IPv6 and IPv4..............11 6.7 M7: Single Stack IPv6 ONLY Nodes...........................11 7. Enterprise Network Infrastructure Points of Transition......13 7.1 DNS........................................................13 7.2 Routing....................................................13 7.3 Autoconfiguration..........................................13 7.4 Security...................................................13 7.5 Applications and APIs......................................13 7.6 IPv6 Address Scoping.......................................13 7.7 Network Management.........................................13 7.8 Address Planning...........................................14 8. Enterprise Tools Requirements...............................15 8.1 Routing Configuration......................................15 8.2 DNS Configuration..........................................15 8.3 IPv6 Address Allocation and Configuration..................15 8.4 IPv4 Address Allocation and Configuration..................15 8.5 VPN/Tunnel Configuration...................................15 8.6 Mobile Node IPv4/IPv6 Interoperation Configuration.........15 9. Enterprise Network Scenarios in Depth.......................16 10. Enteprise Network Scenarios Matrix Graph...................16 11. Applicability Statement....................................16 12. Security Section...........................................16 Acknowledgments................................................16 References.....................................................16 Authors' Addresses.............................................16 draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 3] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 1. Introduction IPv6 will be deployed in Enterprise networks. This scenario has requirements for the adoption of IPv6. This document will focus upon and define: a set of technology scenarios that shall exist for the Enterprise network, the set of transition variables, transition methods, and tools required by different scenarios. The document using these definitions will define the points of transition for an Enterprise network. An Enterprise network for this document is a user network connected to an Internet Service Provider (ISP) or a Private Network Service Provider (PSNP), is actively managed by the users of that network, and has multiple independent networks within the Enterprise. It may also have mobile IP users accessing the Enterprise Network within the Enterprise network, from the public Internet into the Enterprise, or from a private external Internet network. An Enterprise could be a Fortune 100 company large business (e.g. Manufacturing, Financial, Government) or a small office business (e.g. Law Firm, Stock Brokerage, Discrete Engineering Parts Supplier, Office of 30 users). The Enterprise network rate and methods for the adoption of IPv6 will vary and the only constant we can hope to define are the transition and tools requirements based on what we have learned currently from existing work on IPv6 transition mechanisms, current early adopter deployment, and the results produced from this document. This document will not declare specific transition mechanisms or tools; but rather provide a template that users, implementors, and IETF specifications can use to apply or define such mechanisms and tools. A goal of this document is to have the result be a template for how existing transition mechanism and tools could be used in the Enterprise network scenario. 2. Requirements The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 4] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 3. Terminology Enterprise Network - An Enterprise Network is a network that has multiple links, a router conection to a Provider, and is actively managed by a network operations entity. Provider A Provider is an entity that provides services and connectivity to the Internet or other private external networks for the Enterprise Network. Edge - The Edge is the ingress and egress points connecting to the Internet, Extranet, or to another private external network. Administrative Domain - An Administrative Domain are the ingress and egress points connecting nodes across the Enterprise Network, behind the Edges. Extranet - An Extranet is any Enterprise Network owned network components at the Edge, but not part of the Administrative Domain. Border Router - An Enterprise Network Border Router is a a router that is configured at the Edges. Internal Router - An Enterprise Network Internal Router is a router that is not configured at an Edge, but within the Administrative Domain. Mobile - An Enterprise Network condition when a node changes its network location, or is not attached to the Administrative Domain. Mobile Node - An Enterprise Network Mobile Node is any node that is EN Mobile within or not within the ENAD, or as remote telecommuting node. Points of Transtion - An Enterprise Network Point of Transition is a general abstraction to note functions that must be defined for the transition to IPv6. Internet Network Provider - A Provider for connectivity and services to the public Internet. Private Network Provider - A Provider for connectivity and services to a private Internet. Dual Stack IPv4/IPv6 Node - A node that supports IPv4 and IPv6. IPv4 ONLY Node - A node that only supports IPv4. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 5] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 4. Enterprise Network Assumptions In this section assumptions for this document are provided. Such as no one can tell users how to transition, they will all do it differently. Some users will move right to IPv6 not later simply because it is easier for those using 802.11 technology with Mobile IP, as one example. Some users have hardly any IPv4 address space while others have plenty of IPv4 address space. Global Address space vs private is a point of contention to determine how to transition to IPv6. For applications to comunicate across Provider network requires global routable addresses for peer to peer communications and security. Enterprise Networks will vary in size and network complexity from a small office to a large manufacturing operation with multiple sites, across a wide geography. Points of Transition will need to be defined for the following: - Routers - Non Router Nodes - Network Topology - Network Applications - Network Management and Tools - Network Security - Network Mobility - Network VPNs - Network Telecommuter Work Force - Network Inter Site Communications This document will identify those Points of Transition and discuss them within a set of scenarios. This document will not provide solutions. A set of suggested solutions will be provided in a follow on document to this work. Enterprise Networks will vary how they approach the transition to IPv6 depending on a set of transition variables (V1..VN): V1: IPv4 NAT and Firewall uses IPv4 private addresses. V2: IPv4 Firewall uses IPv4 global routable addresses. V3: Applications must be able to communicate between remote Administrative Domains. V4: The methods and security used to access the Administrative Domain for Telecommuters and Mobile Nodes. V5: IPv6 software upgrades are not available for existing routers and nodes. V6: Source code for applications have been lost or cannot be upgraded to IPv6. V7: New business function being defined and can exist without extensive access to legacy IPv4 networks and nodes. V8: Mission critical applications must be able to interoperate with legacy IPv4 nodes. V9: Legacy IPv4 nodes can be upgraded to support dual stack IPv4 and IPv6. V10: Legacy IPv4 nodes cannot be upgraded to support dual stack IPv4 and IPv6. V11: What time frames are required for the adoption of IPv6 for a set of business requirements. V12: What sections of the network for an existing network or new network will move towards IPv6 deployment first, second, ...., last, and draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 6] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 at what rate. V13: What are the network security requirements for the Enterprise Network. V14: Provider does not support IPv6. The transition variables are the parameters to the first function to determine the functions for a scenario. Once the transition variables are understood then the next step is to select transition methods as follows (M1..MN): M1: IPv4 Tunnels to Encapsulate IPv6 M2: IPv6 Tunnels to Encapsulate IPv4 M3: IPv6 NAT to Communicate with IPv4 M4: IPv6 Native LANs M5: IPv6 Native Routing Domains M6: Dual Stack Nodes supporting IPv6 and IPv4 M7: Single Stack IPv6 ONLY Nodes (no known implementations today) Each network will need to select the method to best suit their business requirements. Any attempt to define a default or one-size- fits-all set of variables and methods for all scenarios would result in failure. These methods are discussed in Section 6 of the document. This document will define a list of sets for transition variables, methods, and tool requirements, which will provide a three dimensional system for analysis that can be used to extrapolate a set of solutions. Where the X axis is the transition variables (V#), the Y axis the transition method (M#), and the Z axis the tools requirement set (section 8) to support X and Y conditions. This point on the graph will be an transtion strategy. After the document describes the scenarios in depth (section 9) the graph will be depicted in a matrix for readers of this document (section 10) It will be impossible within a reasonable time frame for the document to define all possible sets, for all scenarios, that will transition to IPv6. The documents objective is to provide enough data to those working to define transition for a network so this document can be used as analysis. In addition, the document will be useful for implementors to select specific transition strategies to support. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 7] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 5. Enterprise Network Scenarios Overview These are the five scenarios that will be used in the document to drive the Enterprise Points of Transition, which will be determined by the transition variables, methods, and tools. This is an overview of each of the scenarios. Scenario #1 A large (20,000+ node) enterprise has an existing IPv4 network and wishes to turn on IPv6 for an engineering development group of ~100 clients that exist at two geographic sites. Each engineering group is on its own switched subnet. The IPv6 clients need to communicate with each other, but still need access to IPv4 based services provided by the corporation. What needs to be done to enable this deployment and where? Scenario #2 An enterprise decides to deploy wireless services across their network, and for reasons of geography and topology groups of access points end up on different subnets. To optimize their support for IP mobility, they choose to make this service IPv6-only, while to secure the air link they choose to have all connections use a VPN access technology. These mobile IPv6-only nodes will still need access to legacy IPv4-only applications. Scenario #3 A modest sized (<10,0000 nodes) multi-site enterprise has deployed IPv4-NAT with overlapping private address ranges between the sites. They are looking to improve productivity through a peer-to-peer conferencing application, that will need to work between sites. They are willing to update the operating systems running that application to support both IPv4 & IPv6, and over time will do the same for other services on the network. Which transition technologies are applicable initially as they begin using the application? What changes or additional technologies are applicable when the ISP for some, but not all sites, offers native IPv6 service? What transition technologies are applicable when all ISPs offer IPv6 services, but some of the internal nodes remain IPv4-only? Scenario #4 A very large global enterprise interacts with a public and private Internet as a cohesive unit, but is composed of several administratively distinct business units. Some of the business units want to deploy a substantial number of stationary nodes (>10,000) in a single subnet, while having those subnets accessible by all the business units. To accomplish this as well as support wireless mobility and peer-to-peer conferencing, they choose to enable these new services as IPv6-only. At the same time there is need to support legacy IPv4-only applications, and access the public Internet from the wireless mobile nodes. What transition technologies are applicable when only parts of a geographically disperse business unit are capable of IPv6 packet forwarding? What transition technologies become applicable when an entire business unit is capable, but other business units are not fully capable? What transition technologies apply at the boundary to draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 8] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 the public Internet? Scenario #5 Two large enterprises using IPv4-NAT merge with the consequence that large segments of private network address space overlap. To allow the network operations to merge they decide to deploy IPv6 across the network core and support infrastructure first. What transition mechanisms apply to the process of migrating and managing the network core? What transition technologies apply to the support infrastructure? To further integrate the systems, what transition technologies are applicable to the end nodes? Scenario #6 A new Enterprise network is being defined for a new Trucking Business that provides location based services for their Truck Fleet over a wide geography. The network will grow to > 10,000 nodes, and the Truck Fleets and Account Teams will use Mobile devices to access the Enterpise network's data and services. In addition many employees will be able to telecommute and work from home. There is no physical Enterprise network today, and the Enterprise network team for the business wants to build this new network with IPv6. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 9] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 6. Enterprise Points of Transition Methods The Enterprise network will have varying points of transition that will require different points of interoperability with IPv6 and IPv4. These points of transition are the fulcrum of the template to define what is required for Enterprise networks within the focus of this document. 6.1 M1: IPv4 Tunnels to Encapsulate IPv6 This Point of Transition exists for the following conditions: 1. Two Dual Stacked IPv4/IPv6 nodes want to communicate using IPv6, but an IPv4 Internal Router is between them. These nodes could also be Mobile nodes too and in a remote location. 2. Two Dual Stacked IPv4/IPv6 nodes want to communicate using IPv6, but they are in a remote Administrative Domain and geography, and packets must be sent to a Provider. These nodes could also be Mobile nodes and in a remote location. 3. Two Mobile Dual Stacked IPv4/IPv6 nodes want to communicate using IPv6, and both are on remote IPv4 network. 4. Two Mobile Dual Stacked IPv4/IPv6 nodes want to communicate using IPv6, and both are on remote IPv6 network. 7. Others ???? 6.2 M2: IPv6 Tunnels to Encapsulate IPv4 This Point of Transition exists for the following conditions: 1. A Dual Stacked IPv4/IPv6 node wants to communicate to a legacy IPv4 service and is on a Native IPv6 link and Routing Domain. Enterpise policy is that IPv6 should be used to encapsulate IPv4. 2. A Dual Stacked IPv4/IPv6 node wants to communicate to a legcy IPv4 service and is on a Native IPv6 link and Routing Domain. Enterprise policy is IPv4 should be used for this communications. 3. Same conditions above but for Mobile node. 4. Others ?? 6.3 M3: IPv6 NAT to Communicate with IPv4 This Point of Transition exists for the following conditions: 1. A Dual Stacked IPv4/IPv6 node wants to communicate with a legacy IPv4 ONLY service or node. Enterprise policy is that IPv6 NAT should be used for this communications. 2. An IPv6 ONLY node wants to communicate with a legacy IPv4 ONLY node or service. Same policy as above. 3. Same conditions above but for Mobile IPv6 ONLY node. 4. Others ???? ***IMPORTANT Discussion for Design Team and Working Group*** Should draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 10] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 we recommend the following to the working group in the next draft and discuss at the IETF Atlanta meeting with the working group the following: 1. The Design Team highly recommends that network not adopt the policy in reference "1" above. 2. IPv6 ONLY nodes should not be deployed in a network until they will not require access to any legacy IPv4. This means that applications and infrastructure has been ported or moved to IPv6. Until that time nodes for transition should be Dual Stacked IPv4/IPv6 nodes. This means networks that want to use IPv6 ONLY nodes will be required to move applications and infrastructure to IPv6 first. We also need to get industry input from IPv6 early adopters and those planning to move to IPv6 or in IPv6 test mode to note in this draft. It is imperative we get all input on this issue because it can mean avoiding NAT for IPv6 and the loss of end-2-end communications and security for the deployment of Next Generation Networks. 6.4 M4: IPv6 Native LANs This Point of Transtion exists when the policy wants to support the deployment of Native IPv6 LANs. This condition will be driven by the transition variables V1-V14 stated in Section 4. 6.5 M5: IPv6 Native Routing Domains This Point of Transition exists when the policy is to deploy IPv6 Native Routing Domains. This condition will be driven by the variables V1-14 stated in Section 4. 6.6 M6: Dual Stack Nodes supporting IPv6 and IPv4 This Point of Transition is a method to deploy IPv6 and a method for transition. A network that deploys Dual Stacked IPv4/IPv6 nodes as they adopt IPv6 are more assured that IPv6 and IPv4 interoperation will be possible between the two nodes or services. It also means for many legacy IPv4 nodes that they can be upgraded to support IPv4 and IPv6, but not turn on IPv6 until the IPv6 operational network has been verified to be interoperable and secure. It also means that both IPv4 and IPv6 can be supported by the nodes that transition to IPv6 and then will be able to communicate with IPv4 nodes using an IPv4 network infrastructure. 6.7 M7: Single Stack IPv6 ONLY Nodes This Point of Transition will exist when networks deploy IPv6 ONLY nodes. This method for transition will require IPv6 NAT and the network will loose IPv6 capability and end-2-end security for IPv6 ONLY to IPv4 ONLY communications. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 11] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 See IMPORTANT discussion for Design Team and Working Group in Section in Section 6.3. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 12] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 7. Enterprise Network Infrastructure Points of Transition The Enterprise will be required to determine what network infrastructure will be affected by transtion to IPv6. This infrastructure must be analyzed and understood as a critical resource to manage. Each topic below in this section will be discussed and the issues facing transition for these network infrastructure parts will be discussed. 7.1 DNS This will be discussed in the next draft. 7.2 Routing This will be discussed in the next draft. 7.3 Autoconfiguration This will be discussed in the next draft. 7.4 Security This will be discussed in the next draft. 7.5 Applications and APIs This will be discussed in the next draft. 7.6 IPv6 Address Scoping This will be discussed in the next draft. 7.7 Network Management This will be discussed in the next draft. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 13] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 7.8 Address Planning This will be discussed in the next draft. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 14] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 8. Enterprise Tools Requirements This section will identify the tools requirements for an EN transitioning to IPv6 so the configuration issues for the EN are documented for the document. 8.1 Routing Configuration This will be discussed in the next draft. 8.2 DNS Configuration This will be discussed in the next draft. 8.3 IPv6 Address Allocation and Configuration This will be discussed in the next draft. 8.4 IPv4 Address Allocation and Configuration This will be discussed in the next draft. 8.5 VPN/Tunnel Configuration This will be discussed in the next draft. 8.6 Mobile Node IPv4/IPv6 Interoperation Configuration This will be discussed in the next draft. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 15] INTERNET-DRAFT draft-pouffary-v6ops-ent-v6net-02.txt December 2002 9. Enterprise Network Scenarios in Depth This section will discuss the Scenarios in depth and identify the transition methods options and tools requirements from previous sections. This will be done in the next draft. 10. Enteprise Network Scenarios Matrix Graph This section will provide a set of matrices from the scenarios, transition variables, methods, and tools to define and determine common points of transition across the Scenarios. This will be done in the next draft. 11. Applicability Statement This will be done in a future draft as we get more working group discussion. 12. Security Section The first iteration of this section will be done in the next draft. Acknowledgments This will be added in a future draft. References These will be provided as the drafts mature and we reference related work in the IETF and in the Industry. Authors' Addresses Send email to ent-v6net@viagenie.qc.ca to contact the design team and send comments on the draft to v6ops@ops.ietf.org. Authors contact info will be provided in the next draft. draft-pouffary-v6ops-ent-v6net-02.txt Expires May 2003 [Page 16]