Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

System Administration Guide: IP Services
Previous Next

Preparing the Existing Network to Support IPv6


Note - The Solaris dual protocol stack supports concurrent IPv4 and IPv6 operations. You can successfully run IPv4–related operations during and after deployment of IPv6 on your network.


IPv6 introduces additional features to an existing network. Therefore, when you first deploy IPv6, you must ensure that you do not disrupt any operations that are working with IPv4. The subjects covered in this section describe how to introduce IPv6 to an existing network in a step-by-step fashion.

Preparing the Network Topology for IPv6 Support

The first step in IPv6 deployment is to assess which existing entities on your network can support IPv6. In most cases, the network topology-wires, routers, and hosts-can remain unchanged as you implement IPv6. However, you might have to prepare existing hardware and applications for IPv6 before actually configuring IPv6 addresses on network interfaces.

Verify which hardware on your network can be upgraded to IPv6. For example, check the manufacturers' documentation for IPv6 readiness regarding the following classes of hardware:

  • Routers

  • Firewalls

  • Servers

  • Switches


Note - All procedures in the this Part assume that your equipment, particularly routers, can be upgraded to IPv6.


Some router models cannot be upgraded to IPv6. For more information and a workaround, refer to IPv4 Router Cannot Be Upgraded to IPv6.

Preparing Network Services for IPv6 Support

The following typical IPv4 network services in the current Solaris release are IPv6 ready:

  • sendmail

  • NFS

  • HTTP (Apache 2.x or Orion)

  • DNS

  • LDAP

The IMAP mail service is for IPv4 only.

Nodes that are configured for IPv6 can run IPv4 services. When you turn on IPv6, not all services accept IPv6 connections. Services that have been ported to IPv6 will accept a connection. Services that have not been ported to IPv6 continue to work with the IPv4 half of the protocol stack.

Some issues can arise after you upgrade services to IPv6. For details, see Problems After Upgrading Services to IPv6.

Preparing Servers for IPv6 Support

Because servers are considered IPv6 hosts, by default their IPv6 addresses are automatically configured by the Neighbor Discovery protocol. However, many servers have multiple network interface cards (NICs) that you might want to swap out for maintenance or replacement. When you replace one NIC, Neighbor Discovery automatically generates a new interface ID for that NIC. This behavior might not be acceptable for a particular server.

Therefore, consider manually configuring the interface ID portion of the IPv6 addresses for each interface of the server. For instructions, refer to How to Configure a User-Specified IPv6 Token. Later, when you need to replace an existing NIC, the already configured IPv6 address is applied to the replacement NIC.

How to Prepare Network Services for IPv6 Support

  1. Update the following network services to support IPv6:
    • Mail servers

    • NIS servers

    • NFS


      Note - LDAP supports IPv6 without requiring IPv6-specific configuration tasks.


  2. Verify that your firewall hardware is IPv6 ready.

    Refer to the appropriate firewall-related documentation for instructions.

  3. Verify that other services on your network have been ported to IPv6.

    For more information, refer to marketing collateral and associated documentation for the software.

  4. If your site deploys the following services, make sure that you have taken the appropriate measures for these services:
  5. Audit any network services that are offered by a node prior to converting that node to IPv6.

How to Prepare DNS for IPv6 Support

The current Solaris release supports DNS resolution on both the client side and the server side. Do the following to prepare DNS services for IPv6.

For more information that is related to DNS support for IPv6, refer to System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP).

  1. Ensure that the DNS server that performs recursive name resolution is dual-stacked (IPv4 and IPv6) or for IPv4 only.
  2. On the DNS server, populate the DNS database with relevant IPv6 database AAAA records in the forward zone.

    Note - Servers that run multiple critical services require special attention. Ensure that the network is working properly. Also ensure that all critical services are ported to IPv6. Then, add the server's IPv6 address to the DNS database.


  3. Add the associated PTR records for the AAAA records into the reverse zone.
  4. Add either IPv4 only data, or both IPv6 and IPv4 data into the NS record that describes zones.

Planning for Tunnels in the Network Topology

The IPv6 implementation supports a number of tunnel configurations to serve as transition mechanisms as your network migrates to a mix of IPv4 and IPv6. Tunnels enable isolated IPv6 networks to communicate. Because most of the Internet runs IPv4, IPv6 packets from your site need to travel across the Internet through tunnels to destination IPv6 networks.

Here are some major scenarios for using tunnels in the IPv6 network topology:

  • The ISP from which you purchase IPv6 service allows you to create a tunnel from your site's boundary router to the ISP network. Figure 4-1 shows such a tunnel. In such a case, you would run a manual, IPv6 over IPv4 tunnel.

  • You manage a large, distributed network with IPv4 connectivity. To connect the distributed sites that use IPv6, you can run an automatic 6to4 tunnel from the edge router of each subnet.

  • Sometimes, a router in your infrastructure cannot be upgraded to IPv6. In this case, you can create a manual tunnel over the IPv4 router, with two IPv6 routers as endpoints.

For procedures for configuring tunnels, refer to Tasks for Configuring Tunnels for IPv6 Support (Task Map). For conceptual information regarding tunnels, refer to IPv6 Tunnels.

Security Considerations for the IPv6 Implementation

When you introduce IPv6 into an existing network, you must take care not to compromise the security of the site. Be aware of the following security issues as you phase in your IPv6 implementation:

  • The same amount of filtering is required for both IPv6 packets and IPv4 packets.

  • IPv6 packets are often tunneled through a firewall. Therefore, you should implement either of the following scenarios:

    • Have the firewall do content inspection inside the tunnel.

    • Put an IPv6 firewall with similar rules at the opposite tunnel endpoint.

  • Some transition mechanisms exist that use IPv6 over UDP over IPv4 tunnels. These mechanisms might prove dangerous by short-circuiting the firewall.

  • IPv6 nodes are globally reachable from outside the enterprise network. If your security policy prohibits public access, you must establish stricter rules for the firewall. For example, consider configuring a stateful firewall.

This book includes security features that can be used within an IPv6 implementation.

Previous Next

 
 
  Published under the terms fo the Public Documentation License Version 1.01. Design by Interspire