IPv4 – IPv6 first step datacenter transition

Back

Internet Protocol version 6 is perhaps one of the protocols described more of History Information technology and this document wants to be a summary of the main features to become familiar with its specificity and begin to introduce this powerful tool.

IPv6, despite being born to solve the limitations of IPv4, encounters of the considerable difficulties of adoption in the real world and this because of the enormous diffusion that IPv4 has had in the course of these years.

We believe that now is the time to begin to use this formidable instrument that precisely for these reasons, has had a time of refinement that not all technologies can afford.

In this first draft of this document does not deliberately chose the characteristics of low level of the Protocol, already widely discussed in the Internet, but we will focus on some peculiarities of the protocol and especially in the mode of technology adoption in mission -critical and business-critical.

Because IPv6

The first question that anyone who has ever approached IPv6 technology it is place is:

Because IPv6 ?

Our answer is that the adoption of IPv6 simplifies.

As all technologies also IPv6 must initially be understood to be appreciated. The approach to appreciate IPv6 is in the understanding of its use before that in the understanding of its operation.

The extended introduction of IPv6, in a world thought and fully realized in IPv4, is certainly a slow introduction. The number of applications “client” and apparatuses do not yet IPv6 compliant are many and sincerely to date (19 July 2012) I could not recommend to an e-commerce site to have as single public IP an IPv6! In contrast, in a datacenter with hundreds or even thousands of virtual machines, I think that the choice to use IPv6 is a facilitator.

Objective

The problem that we want to solve is the chronic shortage of IP addressing of our server farm that grows in prodigious thanks also to virtualization and immense power that today the servers give us.

We do not want to immediately transform our server farm completely in IPv6 but we want first to familiarize yourself with the protocol and then, once you understand the potential, extend use.

We identify and then a possible service to be dispensed in IPv6 and we begin to do the first considerations and preliminary checks.

The objective is to be able to access via IPv4 and IPv6 having as its backend a pool of services certificates on IPv6. Addressing IPv4 and IPv6 will be made available to clients through VIP.

IPv6

IPv6

IPv6

Clients

Servers

LBL®IPv6 gateway

Sleeping

Master

Assessing the environment

The first evaluation must be directed to the environment on which we passed the choice to try the delivery of services in IPv6. I shall not dwell on the operating systems because now all those available today offer the possibility of using both IPv4 and IPv6. For our examples we will use indifferently MS Windows, Linux and Solaris simultaneously.

Our project, predominantly of services delivered by a datacenter, provides for the use of certain components such as web server and application server. The assessment must therefore strive to check if the web servers or application servers used provide or at least not excluding the use of IPv6.

Basically the server components such as application server and web server, kept up-to-date, envisage the use of IPv4 and IPv6. If you fail to find documentation to perform the first test try it and see for yourself. In mission-critical environments or business-critical you are strongly advised to consult the manufacturer.

All applications written with languages born for the network, as for example Java, envisage the use of classes of use of Socket With Addressing IPv4 or IPv6 es.:

Java.lang.Object

   Extended by java.net.InetAddress

    Extended by java.net.Inet4Address

Extended by java.net.Inet6Address

This of course is not sufficient in the case of mission-critical applications or business-critical but to make the first test is sufficient.

128 bits of addressing

One of the prime objectives of this chapter is to understand how to use the 128 bits of the IPv6 protocol. The 128 bits, expressed in groups of 16 bits in order to facilitate the calculation hexadecimal, were designed to be talking routes and below a first representation of their subdivision at a global level (aggregated Table Global).

This is the representation that is used to assign identifying “talking” and divided into logical parts address the 128 bits. It is important to store it for sets because, as explained below, this logical subdivision may be used in whole or in part, also for the routes within the datacenter giving order and readability.

Other note the reserve to the first 16 bits. These contain the essential information to carry out the recognition of packages and determine their typology. The table below summarizes the categories of addresses.

The categories of the IPv6 addressing can be below grouping in the addresses of the type:

  • Unicast addresses of nodes
  • Multicast address: groups of nodes
  • Anycast addresses of services such as multicast addresses identify a group of nodes. Unlike multicast, the packages will be delivered to the nearest node (on the basis of metrics that are present on the router) with respect to the sender node

Below, recovering the last table, we will explain the single use for together.

Unicast

In general, IPv6 addresses were designed for a logical subdivision is composed of two parts : The subnet prefix and host identifier.

The subnet prefix, also called netmask, identifies the network membership. The subnet prefix is expressed in number of bits from the left to the right of the IPv6 address.

Normally the 128 bit addressing is used with the Subnet prefix of 64 bits leaving the remaining 64 bits for the identification of the individual apparatuses.

The network prefix (first 64 bits)

The interface ID    (last 64 bits)

XXXX:XXXX:XXXX:XXXXXXXX ::XXXX:XXXX:XXXX

Subnet prefix (64bit)  Host identifier (64bit)

The host can be identified either manually or through the identifier of the interface (MAC address): The MAC address is recalculated to be used as the host portion of the IPv6 address – EUI 64.

The format EUI EUI-64

  • The interface ID:
    • Uniquely identifies an interface
    • Must be unique on a link
    • Can be obtained starting from the identificatoreEUI-64
  • The IDENTIFIER EUI-64 is based on the same principle of MAC Addressd which is evolution:
    • Identifies the manufacturer and the “serial number” of an apparatus (64 bit)
    • There is a procedure that allows you to pass from the EUI-48 ID (MAC-address) to the EUI-64 ID (please refer to the abundant documentation on the Internet)

Multicast (FF00-FFFF range)

Multicast identifies messages that must be propagated one —>> to many.

Differently from the Multicast IPv4 Multicast IPv6 replaces the TTL with the “Scoped Address” which determines the areas of propagation.

The format of the “Scoped Address” is composed as follows:

FF<flags><brooms>:<group id>

  • FF = Multicast Identifier
  • Flag= 0 permanent, temporary 1. By definition, are temporary all addresses not statically allocated by IANA. There are 120 bits to try addressing schemes are different.
  • Brooms
    • 1 node-local
    • 2 link-local
    • 5 site-local
    • 8 organization-local
    • And global
  • Group id=identifier within a scope

In our examples this route will be used as a tool for the procedures of lookup-discovery and for the maintenance of the lease time of the nodes in the cluster through the HeartBeat.

Anycast

The anycast addresses, not distinguishable from a specific FP, addresses are assigned to a set of interfaces, usually belonging to different nodes. It must be explicitly stated that you are assigning an anycast address.

The anycast addresses identify the server closest to the sender and can be used as a fail-over in the case is not available the nearest. Some Anycast addresses were reserved for specific uses such as routers and Mobile IPv6 home-agent discovery.

The choice of the internal addressing

For addressing internal to the datacenter we go then to use the type of Unicast addressing having to accurately identify a resource. Not wanting to be dependent on a route composed by the network interface but wanting to orient the addressing to the services we will use an address class: FC00 FDFF Unique local unicast.

With the prefixes expressed from the range FC00-FDFF will build a route “talking” so as to immediately identify the network segment to which we are referring.

Addressing  FC00 FDFF Unique local unicast is so detailed:

| 7 bits |1| 40 bits | 16 bits | 64 bits |

+——–+-+————+———–+—————————-+

| Prefix |L| Global ID | Subnet ID | Interface ID |

+——–+-+————+———–+—————————-+

Prefix  FC00::/7 prefix identifies locally a unicast addresses IPv6.

The Sets to 1 is assigned locally

 Set to 0 for future use

Global ID 40-bit global identifier used to create a global unique prefix.

Subnet ID 16-bit subnet ID is the identifier of the subnets within the site.

Interface ID 64-bit Interface ID as defined in [ADDARCH].

To give proof of use of the Subnet Prefix (aka Netmask) in the years that follow we will use a subnet prefix of 48 bits by allocating the remaining 80bit with the identifier of the host.

Setting the subnet prefix occurs at the time of the set of address by adding a slash and the value of the bits of the subnet in the terminal part:

Es. Solaris: ifconfig e1000g3:1 inet6 fd00:CC:c9:5::/48 up

Linux:  ifconfig eth3 inet6 add fd00:CC:c9:4::/48 up

MS Windows: netsh interface ipv6 add LBLMonitor address ADDR=fd00:CC:c9:2::/48

Es.1 The network prefix (first 48 bits)

The host ID    (the last 80 bits)

XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX:XXXX

Subnet prefix (48bit)  Host identifier (80bit)

In this example we will use then a netmask of 48 bits more than sufficient to demonstrate the use of the netmask, not subject to constraints to the exclusion of the first 16 bits that identifies the type of address.

Thus, suppose that we have an organization of addresses that can express our network:

# Fd00:c9:c9:1::

# | | | | |

# |  | | | +—- local host

# |  | | +——-host group

# |  | +———-network group c9=public ca private= CB=backend cc=management

# |  +————-primary group

# +—————address type (unique link local unicast)

This kind of addressing allows us in a single moment to identify which network you are referring es.:

Fd00:c9:c9:1:: refers to the public network

Fd00:c:c9:1:: refers to the private network

Fd00:cb:c9:1:: refers to the network of the backend

Fd00:cc:c9:1:: refers to the network management

We want to put in evidence that the subdivision is completely arbitrary and limited only by the use of the subnet prefix (netmask) that identifies the “scope” of our network in the first 48 bits. Our address is therefore a subnet prefix /48 bit, everything that lies beyond the 48th bits identifies the resource, the point of service delivery.

See below for Linux and MS Windows and Solaris snap showing a hypothetical server with IPv6 addressing:

The addresses plan

Linux

Solaris

MS Windows


For this addressing plan we therefore foresee four types of networks:

Virtual
Public
Private
BACK-END
MANAGEMENT

For the virtual network predisporremo both an IPv4 address 192.168.43.10 () is an IPv6 address (fd00:c9:c9:A::/48). This will put the layer of routing able to “listen” in both IPv4 and IPv6 giving the possibility to clients to access by either IPv4 or IPv6 to the same resources attested only in IPv6.

Duplicate Address Discovery and High Availability

To put in high reliability an IP address you must migrate the address from one node to another node. IPv6 introduces the Duplicate Service Address Discovery  (aka DAD) that allows, in normal situations, to identify duplication of addressing and disables the automatic duplicate address. This feature is useful for clients, must be disabled for network interfaces that are used as support to high reliability (VIP) because they may cause deactivation of the address during the migration.

The Off mode is different on each operating system and below it will be given an explanation with examples for MS Windows, Linux and Solaris.

MS Windows:

With MS Windows (Windows Vista / Server 2008 or Windows 7 / Server 2008 R2 or higher) it is possible to disable the service IPv6 DAD through the netsh command. The procedure involves making the index of NIC and then deactivate the service.

1-detection of the index of the NIC:

C:\> netsh interface ipv6 show interfaces

Idx Meth. MTU Status Name

— ———- ———- ———— —————————

1  50 4294967295  connected Pseudo-Interface Loopback 1

14 25  1500 connected Wireless Network Connection

10 20  1500 connected LBLPublic

17 50  1280 disconnected isatap.{A7670B47-0EFA-4DAC-9BE5-

25 50  1280  isatap disconnected.homenet.telecomitalia.it

15 50  1280 disconnected Teredo Tunneling Pseudo-Interface

12 50  1477 disconnected network connection Bluetooth

27 50  1280 disconnected isatap.{278375D9-F269-47C8-BEF2-

21 20  1500  connected VirtualBox Host-Only Network

2-Service Deactivation DAD for the interface identified:

C:\> netsh interface ipv6 set interface “10” dadtransmits=0

OK.

3 – Verification of the deactivation occurred:

C:\> netsh interface ipv6 show interface “10”

LBLPublic parameters interface

———————————————-

IfLUID  : ethernet_6

IfIndex  : 10

Status    : connected

Metric    : 20

MTU connection    : 1500 bytes

Time to reach    : 18500 ms

Time to reach the basis    : 30000 ms

Retransmit Interval    : 1000 ms

Transmissions DAD    : 0

Prefix length site    : 64

Site ID    : 1

Forwarding    : Disabled

Ads    : Disabled

Locate adjacent routers    : Enabled

Detection irraggiungibilità adjacent routers : Enabled

Locate router    : Enabled

Managed Address Configuration   : Enabled

Other configuration options with status    : Enabled

Send  vulnerable host    : Disabled

Host receptions vulnerable    : Disabled

Uses automatic metric    : Enabled

Ignore  default routes    : Disabled

Duration router announced    : 1800 seconds

Announces  default route    : Disabled

Hop Limit Current    : 0

Force activation models ARPND : Disabled

Activation models MAC addressed    : Disabled

LINUX:

To disable the functionality DAD in Linux you must identify the name of the interface through the ifconfig command – then set the parameters: net.ipv6.conf.<interface_name>.dad_transmits

Net.ipv6.conf.<interface_name>.accept_dad

The setting of the parameters is best done at startup of the system for example by adding to the file /etc/sysctl.conf the following lines (example with eth0):

Net.ipv6.conf.eth0.dad_transmits = 0

Net.ipv6.conf.eth0.accept_dad = 0

After a restart of the operating system to check if the setting was actually transposed through the command:

# Sysctl net.ipv6.conf.eth0.accept_dad

Net.ipv6.conf.eth0.accept_dad = 0

# Sysctl net.ipv6.conf.eth0.dad_transmits

Net.ipv6.conf.eth0.dad_transmits = 0

Oracle Solaris:

Solaris uses an algorithm DAD set to default to optimistic (see Oracle® Solaris Administration: IP Services and Solaris Duplicate IP Address Detection

James Carlson). For the use of the features of HA, we disabled, for interfaces and for specific addresses, the transmission of the detection of the duplicate addressing.

To do this it is sufficient to act in the parameters of the NDP daemon and set the Disable through the   DupAddrDetectTransmits variable.

With an editor to add to the /etc/inet/ndpd.conf the following commands for each management interface of the virtual addressing:

If e1000g0:3 DupAddrDetectTransmits 0

Prefix fd00:c9:c9:A::/48 e1000g0:3

At the end of the setting parameters run the following command to update the daemon:

# Pkill -HUP in.ndpd

Setup Operating System Jessica

The setup of Jessica the conduct in a Linux operating system where they will be set 4 network interfaces. We used a distribution Ubuntu with kernel revisone 3. For your convenience we left commented on the old interfaces IPv4. To enable it is sufficient to remove the comments. The interface of the monitor (aka management) was placed in an alias having wished to use the fourth network interface (eth3) to exit toward the Internet (useful in the initial setup will be disabled in production):

FILE: /etc/networks/interfaces

# This file describes the network interfaces available on your system

# And how to activate them. For more information, see interfaces(5).

# The loopback network interface


Auto Lo

Iface the inet loopback

# The primary network interface

Auto eth0

#Iface eth0 inet static

#  Address 192.168.43.110

#  Netmask 255.255.255.0

Iface eth0 inet6 static

Address fd00:c9:c9:4::/48

# The private network interface

Auto eth1

#Iface eth1 inet static

#  Address 192.168.44.110

#  Netmask 255.255.255.0

#  Up route add -net 224.0.0.0 240.0.0.0 netmask dev eth1

Iface eth1 inet6 static

Address fd00:ca:c9:4::/48

# The backend network interface

Auto eth2

#Iface eth2 inet static

#  Address 192.168.45.110

#  Netmask 255.255.255.0

Iface eth2 inet6 static

Address fd00:cb:c9:4::/48

# The management network interface

Auto eth2:0

Iface eth2:0 inet static

Address 192.168.46.110

Netmask 255.255.255.0

Iface eth2 inet6 static

Address fd00:CC:c9:4::/48

# The internet network interface

Auto eth3

Iface eth3 inet dhcp

#Pre-up /sbin/ifconfig $IFACE MTU 1300

#Iface eth1 inet static

#  Address 192.168.46.110

#  Netmask 255.255.255.0


After a reboot by running ifconfig – you should get this configuration:

Setup Operating System Roger Rabbit

The installation of RogerRabbit is similar to the installation of Jessica. If we are in virtualized environment you might proceed to clone virtual machine and then we will proceed to change the hostname and the static addresses. Also in this case an alias was used as the address of the management in order to be able to assign DHCP via the network card eth3 and then access to the Internet. The latter address, convenient in the initial setup will be disabled in production.

FILE: /etc/networks/interfaces

# This file describes the network interfaces available on your system

# And how to activate them. For more information, see interfaces(5).

# The loopback network interface

Auto Lo

Iface the inet loopback

# The primary network interface

Auto eth0

#Iface eth0 inet static

#  Address 192.168.43.109

#  Netmask 255.255.255.0

Iface eth0 inet6 static

Address fd00:c9:c9:3::/48

# The private network interface

Auto eth1

#Iface eth1 inet static

#  Address 192.168.44.109

#  Netmask 255.255.255.0

#  Up route add -net 224.0.0.0 240.0.0.0 netmask dev eth1

Iface eth1 inet6 static

Address fd00:ca:c9:3::/48

# The backend network interface

Auto eth2

#Iface eth2 inet static

#  Address 192.168.45.109

#  Netmask 255.255.255.0

Iface eth2 inet6 static

Address fd00:cb:c9:3::/48

# The management network interface

Auto eth2:0

Iface eth2:0 inet static

Address 192.168.46.109

Netmask 255.255.255.0

Iface eth2 inet6 static

Address fd00:CC:c9:3::/48

# The internet network interface

Auto eth3

Iface eth3 inet dhcp

#Pre-up /sbin/ifconfig $IFACE MTU 1300

#Iface eth1 inet static

#  Address 192.168.46.109

#  Netmask 255.255.255.0

After a reboot of rogerrabbit and running ifconfig – you should get this configuration:

Setup LBL®Application Delivery Controller Jessica

For simplicity we will use the comments to snap of the management console of the most significant parts.

The vrrpserver, attested to in the private network, is an HTTP server and is used to exchange routing information between nodes LBL®Application Delivery Controller. The IPv6 address is the one related to the network of private HeartBeat.

[Fd00:ca:c9:4::]

In systemsmonitor_m it is interesting to note that it is possible to indicate virtual addresses (VIP) IPv4 and IPv6 in a very simple manner. LBL®Application Delivery Controller automatically distinguishes between IPv6 addresses from IPv4 through their peculiar definition and then set accordingly the network card suitably.

Another thing to note is that for Linux IPv6 addresses may be added to the definition of Network Card directly without the need to use aliases as occurs for IPv4.

The configuration of the header of the statistics, if embedded, must not be changed. If you were to use a centralized broker IPv6 The remoteServerURL parameter should be amended as follows:


Example of remoteServerURL IPv6:

LBL_global_ADDRESS_BROKERWEBCACHE=[fd00:cb:c9:6::] 

With the file lookup instructs LBL®Application Delivery Controller to perform the lookup discovery of other nodes via private network of heartbeats. As for IPv4 LBL demands to indicate the address of the interface where there will be the multicast UDP or not to propagate messages on all networks. The multicast address or UDP is used however a link-local and then having as brooms the lan.

We finally reached the configuration file of the routing and balancing. In paragraph <listeners> you can observe a novelty and that is the possibility of indicating more addresses of listening related to one same bind. In this case it allows to set in the same paragraph <bind> both IPv4 and IPv6 addresses.

In the section reserved to <endpoints> it is possible to observe how you indicate the resources where are attested services.

As for the IPv4 service HealthCheck is not influenced by changes being a service of loopback for the use of the system for fail-over of the nodes LBL®Application Delivery Controller.

Setup LBL®Application Delivery Controller Roger Rabbit

In the same manner as Jessica below we will explain the setup of the component of routing LBL®Application Delivery Controller. The settings are identical to the component of routing IPv6 gateway. Are obviously typed for the components related to the node.

The vrrpserver is an HTTP service that, through the private network of heartbeats, exchanges routing information between nodes of the cluster of balance.

As for Jessica file lookup instructs LBL®Application Delivery Controller to perform the lookup discovery of other nodes via private network of heartbeats. As for IPv4 LBL demands to indicate the address of the interface where there will be the multicast UDP for not propagate messages on all networks. The multicast address UDP is used however a link-local and then with scope the lan.

Start the Tomcat service

The start of the Tomcat service will be in this case carried out on an MS Windows server in order to allow to check even this platform.

To set the IPv6 address of the backend you will like from image by going into the Control Panel, Network and Internet, network connections, and then in the NIC selected set the IPv6 address like from image…

Once the setting you can start tomcat that by default performs a listening on all interfaces present and therefore also on the IPv6 address…

Functionality testing LBL®Application Delivery Controller IPv6 gateway…

It now only remains for us to go through the browser to the services supplied in IPv6 by either IPv4 or IPv6….

IPv4… Http://192.168.43.10/trainingw/

IPv6Http://[fd00:c9:c9:a::]/trainingw/…

The result of the routing can be appreciated from the following image where independently of the engagement of the request, virtual IPv4 or IPv6, the forwarding is carried out in the service place in the backend in IPv6.

We go now to disable the routes on endpoints certificates in the IPv6 address static backend and we are going to set the same Tomcat service certificate but in address autoconfigured the same server…


The result is a forwarding of requests coming from the virtual addresses IPv4 and IPv6 toward the backend IPv6 with autoconfigured address…

Conclusion

At the conclusion of this document we can say that the practical use of the IPv6 is not dissimilar from the use of IPv4 giving however at the same time a flexibility and an order in the assignment of addresses decidedly above allowing to make maximum use of the possibilities offered by virtualization. The application compatibility with LBL®Application Delivery Controller is ensured by providing a platform that allows to introduce in a soft the new addressing giving the possibility moreover operators to familiarize yourself with this Protocol and the whole created world around it as DNS, security policies, routing.

Acronyms and Definitions

IPv4 Internet Protocol version 4
IPv6 Internet Protocol version 6
Endpoint  Backend service
Listener Access point to services
Netmask Subnet prefix in IPv6
Subnet Prefix Netmask in IPv4
DAD Duplicate Address Discovery

Summary table and Aggregate descriptive Table Global IPv6