Pv6 Planning and Implementation

Bechtel's IPv6 deployment started with project planning and training in early 2005 with an enterprise deployment implementation targeted at two primary objectives:

• Enabling end-to-end IPv6 communications for existing applications and services

• Providing a foundation for future IPv6 applications, services, and innovations

The model in Figure 5-11 highlights the basic information flow in end-to-end connections. Security naming and other services are omitted for simplicity. This is a typical scenario that may represent a web browser (App 1) talking to a web server (Service 2) in another office. Bechtel's planning and implementation has been to address the hardware, software, and networks required to achieve end-to-end IPv6 communications.

Figure 5-11 Bechtel Application Communication

This model brings to the surface many questions that Bechtel has to address within the context of its global operations, internally as well as with its partners, customers, and suppliers. These questions include:

• How are IPv6 addresses assigned and managed?

• How is routing different?

• How will host computers get routable addresses?

• Will applications fail if IPv6 is enabled on the OS and network?

• How will Bechtel manage the new environment?

• What are the dependencies and optimum sequencing of activities?

These and many other questions had to be addressed in a multiyear project plan that is used for the development and execution of tactical effort. Detailed plans have evolved with experience, but have maintained an overall structure. Basic decisions have been made step by step on the environment where the initial IPv6 work will occur.

Project Scope

Following is an extract from Bechtel's IPv6 Implementation Plan and Functional Spec:

The goal of the project is to establish IPv6 as the protocol of choice on Bechtel's internal network and to accomplish a broad deployment across the enterprise. IPv6 has been designed with a view towards facilitating ease of transition from IPv4 and support for "dual-stack" configuration emerged as a key feature. A key aspect of Bechtel's implementation of IPv6 will be long term commitment to running in "dual stack" configuration. IPv4 and IPv6 will coexist on our hosts/network. Connection services and applications which have an IPv4-only requirement will continue to function. It is expected that the prevalence of such IPv4-only applications will diminish over time as the functional solutions are updated (or replaced) to include compliance with IPv6.

The initial deployment strategy was to install IPv6 as a foundational building block in Bechtel's network architecture and to do so without dislodging the currently used IPv4 building block. This offers two specific advantages. In a network environment where both protocols are in place and functioning independently, IPv6 automatically becomes the default transport for upper layer services and applications. This triggers a transparent transition for all IPv6-ready services and applications. Secondly, the deployment of this underlying IPv6 foundational building block will meet the requirements of new IPv6-capable products and innovations.

The following network phases of the company's IPv6 project highlight the movement from lab to production networks and environments over time. We have included a sample of the major activities for each phase to provide an idea about the effort and scope involved. Each lab activity was targeted at developing the competence and documentation required to move to the production network environment. Note that the network phases listed include applications, services, and operating systems.

Phase I (Lab): IPv6 in "Local" Labs

Bechtel uses its isolate IPv6 lab environment to minimize risk to production users when the IPv6 technology being tested may be potentially disruptive or pose a security risk. Phase I established IPv6 labs at four locations. Each lab was equipped with at least one router, one switch, a domain controller, a file/web server, and two or more client computers.

The IPv6 isolated labs have been configured to support the following standard infrastructure services that are expected in a dual-stack environment. Not all services were implemented at each site. Below is a list of typical common infrastructure services enabled and tested in one or more labs.

• IPv6 stateless autoconfiguration

• Active Directory

• E-mail (Exchange) and Simple Mail Transfer Protocol (SMTP)

• Internet Information Services (IIS)

• Proxy (Microsoft ISA Server)

• System Management Server (SMS)

• Database servers

• Simple Network Management Protocol (SNMP)

• Network Time Protocol (NTP) services

• Certification authority (CA)

• Microsoft Internet Authentication Service (IAS)

Phase II (Lab): IPv6 and Intersite Connectivity

Bechtel connected the labs to each other through physically isolated WAN connections. VPN WAN connections and routing models were developed. The major components of Phase II included:

• Functional specs for setting up inter-site connectivity (lab)

• IPv6 OSPF authentication over IPv4 (protocol 41) WAN tunnels

• End-to-end WAN testing using IIS 6.0

• Address plan finalization

Phase III (Production): Pilot Deployment in Production LAN Environment (LAN/"IPv6 Islands")

IPv6 was enabled on production WANs at the sites hosting the four isolated IPv6 labs. Initial deployment was on selected VLANs within each office. This leveraged work done in Phase I, adding required production support and management components. Phase III activities focused on:

• Risk analysis and mitigation prior to pilot deployment in production LAN.

• Functional specs for pilot deployment in production environment (LAN).

• Using IEEE 802.1q VLAN standard to "overlay" IPv6 links.

• Incremental expansion of IPv6 "island."

• Application layer validation in production network environment (LAN).

• After the LAN pilot phase was complete, all future new LAN implementations include IPv6 on all VLANs. Other existing IPv4-only sites are being IPv6-enabled on a scheduled process.

Phase IV (Production): Pilot Deployment in Production Environment (WAN)

Production WAN connections were established between each of the sites hosting the isolated IPv6 labs. Separate WAN routers were deployed to minimize risk and allow any required configuration changes. The Phase IV tasks listed below positioned Bechtel for broader production deployment.

• Functional specs for pilot deployment on production network (WAN).

• Application layer validation in production network environment (WAN).

• After WAN pilot phase was complete, all future new WAN sites include IPv6 WAN connectivity.

• Other existing IPv4-only WAN links are being IPv6-enabled on a scheduled process, starting with large offices and major data centers.

Phase V (Lab): IPv6 and Connectivity to the Internet

Phases III and IV were completed "behind the firewall" to isolate Bechtel from any external IPv6 security risks. The major Phase V deliverables below positioned Bechtel for internal IPv6 interaction with IPv6 resources on the Internet.

• Functional specs for setting up IPv6-based connectivity to Internet (lab)

• Application layer validation (Internet-connected lab)

• IPv6 connections to the Internet with Bechtel's IPv6 address space

• Host firewalls

• IDS/IPS configuration and validation

• Security-related traffic logging

• Main connection scenarios are

- Internal to DMZ

- Internet to DMZ

- Internal to Internet

- Internet to internal

Phase VI (Lab): Wireless and Mobile Access

This phase expands connectivity to wireless and mobile users. The steps below were designed to ensure functionality and security for wireless users with IPv6-enabled 802.11 or cellular access.

• Functional specs

• Wireless access points and wireless router configurations including 802.1x authentication with user and machine certificates

• Wireless management servers for security, management, and configuration

• Application layer validation in the context of mobile access (lab)

• Cellular/802.11 phone pilots

• Mobile field trial, including MIPv6

Phase VII (Production): Pilot Deployment of IPv6-Based Internet Connectivity

This is the staged implementation of Phase V work. The following work was required to enable production access from Bechtel's protected network to IPv6 resources on the Internet.

• Functional specs

• Application layer validation (Internet-connected production network)

• Final compliance check for ISO 27001

• Added to standing agenda for regular global Information Security calls

Phase VIII (Production): Wireless and Mobile Access

This is the staged implementation of Phase VI work. Major steps for the final IPv6 802.11 production deployment are listed below.

• Application layer validation in the context of mobile access (production network).

• Production IPv6 deployment on wireless access points and wireless routers through wireless LAN servers.

• All future wireless implementations include IPv6.

Phase IX (Lab): Voice/Data/Video Convergence

Bechtel is a heavy user of VoIP and video over IP. This phase is addressing converged IP services across multiple platforms.

• Functional specs

• Application layer validation in context of VDV convergence

The implementation plan was originally designed to be executed in a relatively linear mode. However, in practice Bechtel has executed parts of some phases in parallel.

IPv6 Metrics

Bechtel uses targets and metrics to manage its activities throughout the implementation phases highlighted above. The targets shown in Table 5-38 were established in late 2005.

Table 5-38 Bechtel IPv6 Implementation Goals (Late 2005)

Milestones

2006

2007

2008

LAN/WAN

5

50%

95%

Windows clients

1000

10,000

95%

Websites

6 internal

25%

95%

Apps, dual-stack

50 major

90%

100%

Mobility

Wireless

Remote access

Always on

Management

Basic

Over IPv4

Over IPv6

Security

Internal

External IPv6

Borderless projects

The progress made in the IPv6 implementation was closely monitored, as

shown in Table 5-39.

Table 5-39 Bechtel 2008 IPv6 Implementation Progress Through 1Q-2008 and

Planned for 4Q-2008

Milestones

2006

2007

2008

LAN/WAN

5

40%

95%

Windows clients

1000

16,000 (93%)

100%

Websites

6 internal

25%

95%

Apps, dual-stack

50 major

90%

100%

Mobility

Wireless

Remote access

Always on

Management

Basic

Over IPv4

Over IPv6

Security

Internal

External IPv6

Borderless projects

Bechtel's IPv6 implementation was not always linear. Once scalable deployment models were successfully piloted, they could be rapidly deployed throughout the enterprise using standard tools through existing change management processes. Table 5-40 below shows some of the large incremental changes that occurred when using standard SMS scripts to enable IPv6 on Bechtel's desktop and laptop computers in 2007. Note the large jumps in cumulative IPv6 clients 2Q-2007 through 3Q-2007.

Table 5-40 Bechtel 2008 IPv6 Implementation Progress Through 1Q-2008 and Planned for 4Q-2008

Month Ending

IPv6 Clients

Percent Complete

Apr-07

2050

12.1%

May-07

2889

17.0%

Jul-07

4237

24.9%

Aug-07

9983

58.7%

Sep-07

14,229

83.7%

Oct-07

15,650

92.1%

Nov-07

16,100

94.7%

Mar-08

16,400

95.1%

Bechtel understood from the beginning that IPv6 would be a wide-reaching, multiyear project. The timeline shown in Table 5-41 highlights some of the milestones and high points since the initiative was approved in late 2004 through its expected conclusion in late 2008.

Table 5-41 Bechtel Timeline for Enterprise Deployment of IPv6 Period Activity

0ct-2004 CIO/SVP approval to proceed with enterprise deployment within

Bechtel's infrastructure. Bechtel's federal global business unit identified as first pilot company working closely with corporate IT.

1H-2005 Budget approved, teams formed, project scoped, and critical partners identified and engaged (Cisco, Command Information, and Microsoft). Enterprise-wide IPv6 Awareness campaign through a series of video "Tech Talks." First Bechtel IPv6 presentation at Cisco Technical Advisory Board. Network engineering training started. Started construction of IPv6 labs.

Table 5-41 Bechtel Timeline for Enterprise Deployment of IPv6 (Continued)

Period Activity

2H-2005 Acquired provider independent IPv6 address space from ARIN:

2001:4920::/32. Four isolated IPv6 lab sites fully operational including wireless and tunneled WAN connections. Standard computing and infrastructure services tested and verified in dualstack mode.

1H-2006 Command Information contracted to help with detailed production implementation planning, including IPv6 address allocation, more detailed project planning, and industry best practices. Instructions to developers issued on developing IP version-agnostic code. Testing criteria established. IPv6 included in base Windows XP image for computers used on federal projects. SMS scripts developed and piloted to deploy IPv6 to Windows XP and Server 2003 computers. SMS reporting developed to track progress. Cisco, Command Information, and Microsoft engaged in regular dialog to share ideas, challenges, and solutions.

2H-2006 IPv6 enabled on network and computers in Software QA (SQA) lab used for all application testing. SMS scripts used for enabling IPv6 on computers office by office.

1H-2007 IPv6 integral part of Office 2007 testing in Windows XP. All client side applications verified to operate dual-stack without issue. IPv6 enabled at most major offices (LAN and WAN). IPv6-enabled IDS/ IPS installed.

2H-2007 90 percent of Bechtel IPv6-capable desktop and laptop computers are dual-stack. Greater than 50 percent of network ports are dualstack. Production intranet web servers are IPv6-enabled.

1H-2008 IPv6 enabled on all IPv6-capable wireless access points and wireless routers. IPv6 enabled on remaining enterprise infrastructure and web servers. Centrally hosted application servers IPv6-enabled.

2H-2008 IPv6 enabled on remaining application servers. Selected production deployment of Windows Server 2008.

End 2008 Bechtel enterprise deployment of IPv6 hosts and networks is substantially complete.

0 0

Post a comment