Introduction
With IPv6 on the horizon we thought it best to start preparing for this. Since
most of our network vendors don’t fully support IPV6 we are starting internally.
I am going to give you a quick rundown of what we had to do that was “extra” to get
IPv6 to play with Active Directory (AD) and give you a cut down version of all
stuff surrounding it.
Very quick synopsis of IPv6
The IPV6 address space is huge. The long term intent is to have enough IP addresses
to assign a public address for every single device, plug, outlet, fridge, stove,
smart phone, headset, VOIP phone, ice maker, dog collar, door, window, car and
child, among others. With IPV4 we would typically assign every computer in our network a private address
in a range like (192.168.1.1- 192.168.1.254). The router or firewall would then
translate the internal addresses to an external addresses as required. This process is called Network Address Translation or NAT.
With IPV6 this process called NAT will be a thing of the past. As far as I know
NAT doesn’t even work with IPV6. You may question the security of this but don’t
forget the data still must flow through a router or firewall that will have rules
in place to protect the traffic. Also we wouldn’t publish every machine in a public
DNS so good luck guessing the address anyway.
How huge is huge?
IPV4 has a shade over 4 billion unique addresses. IPV6 has over 340 undecillion
addresses. That is so many that even the word undecillion is listed as a misspelled
word in Microsoft Word 2010. What does that look like? 340,000,000,000,000,000,000,000,000,000,000,000,000. Yep, so it’s huge. Finally no more lost golf balls,
as every golf ball will be able to have a routable IP address and a GPS tracker
built in.
What does it look like?
fdb8:0059:3a48:5a3d:e198:1008:aa0b:0001
This is an example of a Unique Local
Address or ULA. These are supposed to be randomly generated using a Time and a
MAC address in the calculation to aid in them having a high likelihood of
uniqueness. In other words it is possible that these could cause conflicts if
you choose one that someone else has. For example if you choose the same
IPv6 ULA subnet as a company you merge with and then setup Site to Site tunnels
you may have conflicts. I know - way too much information. Let’s keep
going.
What types of IP addresses are there
if there is no more NAT and Private IP’s?
This
is in my eyes is still evolving and I think it will continue to evolve as we get
closer to actually using IPv6 in broader terms. However three important types will
be around for the long term.
Global addresses – Publicly routable
on the internet similar to the addresses you would assign to your external webservers
etc…
Link Local addresses – This is a randomly generated address
using a variety of calculations similar to that 169.254.x.x address
you get when your DHCP server is broken. You can actually just enable IPv6 on your
computers on your LAN and connect to them.
ULA - This is
the new equivalent of Private IP addresses. They are classified as not likely to
be duplicated, and are not likely to be routed onto the internet. They all use the
same prefix so it’s easy for sys admins to block these packets from escaping into
the wild. They all begin with fd00: There is an algorithm as described by RFC 4193
that will give yourself an address that has a high likelihood of not being duplicated.
So now that we all know everything there
is to know about IPv6 lets figure out what we have to do to get IPv6 up and running.
There are a number of ways you can do this. What I will describe is what we are
doing at The Code Project in order to work towards testing and deploying our website’s
and services with IPv6.
The basic steps<o:p>
- Calculate your an IPv6 subnet. A class 16 is sufficiently large enough
for most situations. It has 65534 addresses.
- Give your first DC a Static IP in the above range. You will need to set the
IPv6 Address, Prefix, Gateway and DNS (at least for now in Windows 2008 R2) Just
make up the gateway or don’t assign one as chances are your gateway doesn’t support
it yet anyway.
- Once this is done you can install the Active Direct Domain Services Role
- Install DNS and setup zones for both IPv4 and IPv6, It’s really no different
between the two but you need to do it twice for both.
- Setup DHCP to assign addresses from your range above for both IPv6 and IPv4
- Join your computers assign what machines you want to be static, leave the
rest as DHCP and Bob’s your uncle.
That’s about
it: nothing really too complicated. Since your router or firewall is not likely to
even support IPV6 fully you are pretty much done. You will notice in DNS that you
now have a host A record and a Host AAAA IPv6 record.
You can turn
off IPv4 on your locally connected computers and they will be able to connect as
they did before but of course unless you have IPv6 from your ISP you won’t be able
to get out onto the internet.
What have we done at The Code Project?
We have rebuilt our domain controllers with IPv6
ULA Addresses at our head office. We will be starting to enable all of our machines
with IPv6 over the next few weeks and then start testing our code to make sure we
can provide an IPv6 version when it becomes possible.