IPV6 DEPLOYEMENT ON ENTERPRISE

NETWORK
Transition from IPv4 to IPv6

Submitted To:
Mr. Mobeen Shahroz

Submitted By:
Adnan Irshad (IT-171035)

Ans Tariq (IT-171034)

Introduction
The transition from IPv4 to IPv6 is not a one-day step and involves a lot of changes in network
structures with the use of IP addresses. For the future success of IPv6, the next step in deploying
IPv6 is to vote for the most suitable transition methods and their management. Although many
kinds of transition mechanisms have been invented to help with the process, the implementation
of IPv6 is never said to be easy and simple, even for experienced administrators. As a result, the
most difficult problem to make decisions for is which method will be chosen for the
implementation process to achieve a smooth and seamless transition.

Figure 1: Different transition technologies

In the specific situation of the deployment of IPv6 in Enterprise Network, we usually use several
translation methods.
Dual Stack is a type of transition mechanism which plays an important role in IPv6 and 4G
networks. However, the presence of IPv6 makes network susceptible to attack. One of the major
problems in the Dual Stack transition mechanism is Threat issues. By transitioning to IPv6 without
adequate precautions, an adversary can easily bypass the network security infrastructure.

Methodology
Based on the previous proposed paper, all mechanisms and current practices in researched
enterprise networks, nearly all deployments of IPv6 in enterprise networks apply dual stack
mechanism as it gives us a way to know more about IPv6 as well as to improve practical
experience with a new address family, which plays an important role in the success of transition
implementation. Therefore, in this document, we choose the dual stack methodology to build a
model for large enterprise networks.
 Figure 2: Dual Stack Transition
The Dual Stack Router can communicate with both the networks. It provides a medium for the
hosts to access a server without changing their respective IP versions.
But, presence of IPv6 makes network susceptible to attack as we saw in literature review in
previous proposed document. One of the major problems in the Dual Stack transition mechanism
is Threat The security threat attacks include:
 Scanning
 Un authorized access
 Fragmentation
 Spoofing
 Broadcast Amplification attacks
 Autoconfiguration and Neighbor Discovery (ND)

To remove the security threats in Dual Stack Transition method we purpose the following method
in our design as we have discussed in proposed document.
1. By using an IPv4 Header: Administrators who have not deployed IPv6 must first ensure
that it is not being maliciously used without their knowledge. Filtering all traffic with
protocol 41 set in an IPv4 header will prevent known IPv6 traffic from being tunneled
within IPv4, thus preventing back doors, from being created within the network.
However, tunnels can also be set up over UDP, HTTP (port 80 and so on, so the author
recommends using an IDS to carefully detect and monitor all tunneled traffic for instances
of IPv6 traffic.
2. By using an IPv4 header and a UDP header: If is an IPv6 traffic is a IPv6 teredo traffic[Also
called as(IPv4 network address translator(NAT-T)traversal(NAT-T) for IPv6 provides
address and automatic tunneling for IPv6 connectivity across IPv4 Internet even when the
IPv6/IPv4 hosts are located behind one or multiple IPv4 NAT’S]assignment and tunneled
using an IPv6 header and a UDP port 3544. To protect from such Treed traffic
drop(filter)all the traffic with the Source or Destination UDP port to set to 3544.
 3. Increased dependence on multicast addresses in IPv6: could have some interesting
implications with flooding attacks. For example, all routers and NTP servers have site
specific multicast addresses.
4. Firewall research: The fundamental element within the current and foreseeable security
model is firewall. To prevent holes from appearing within the security model, by
introducing IPv6 adequate investigation into how best to mirror current IPv4, firewall
settings over to IPv6 essential. This can be ambiguous due to the modifications within the
protocol, such as extensive use of ICMPv6 and the inclusion of extension headers. In
addition, the author recommends the policy should be extended by using RFC 2827
filtering to verify all outgoing traffic is from a valid internal IP address within the subnet.
Rules to filter the site scope IPv6 destination addresses at the boundary must not be
omitted.
In our proposed system we will make our network free from vulnerability we will implement
Firewall method with dual stack transition.
To implement our proposed methodology, first we must design the enterprise network.
1. Enterprise Network Design
Our model has three main areas. At first, the headquarters model, a center of operations or
administration in an enterprise, consists of four groups:
Group 1: The Demilitarized Zone (DMZ) would contain all the most important servers in an
enterprise such as web server, database server, file server, exchange server. Each of them
stores all confidential information, which can only be accessed by authorized personnel and
they will provide information and data for users inside and outside the network. However,
due to the nature of services, these servers are usually exposed to untrusted networks.
Therefore, in the DMZ, network administrators will apply all the latest patches, technology,
and security to protect the network from hackers and other threats.
Group 2: This group is named “The Instrusion Prevention”, which is the combination of
authentication server, VPN server, and intrusion prevention servers, responsible for checking
logged in users as well as protecting the whole network from attacks or penetration.
Group 3: Known as “The Service Provision”, this group contains DHCP server, FTP server, DNS
server, etc., providing necessary services throughout the system.
Group 4: Within this “Client Zone” group is the place for all client computers, laptops, mobile
phones, etc., to connect to the network in the enterprise.
Headquarter

Figure 3: Headquarter network structure model

 Branch-1

Figure 4: Branch 1 Network Structure Model

Secondly, a branch is a division of the business that can be in various geographic areas.
Therefore, the network model of each branch is like the headquarter model only without the
DMZ.
 Figure 5: VPN Users

Thirdly, the group of ISP routers with VPN users who perform the work outside the enterprise network
still needs to get access to data from protected servers inside the network.

Figure 6: The Whole Structure Model

And finally, the total enterprise network model is presented in above Figure 6.
Addressing Plan
There are two kinds of addresses: static and dynamic. Statically public addresses are often assigned for
main computers, servers, and routers to make it stable so that other end devices can establish connection
to perform various activities such as accessing data storage, uploading information, downloading file, etc.
Dynamic addresses are distributed for client devices to join the enterprise network. Therefore, in our
network model, we also set the static and public addressing plan.

2. Implementation
i. Dynamic Host Configuration Protocol (DHCP)
DHCP is used to assign IP addresses automatically for end devices, such as laptops, desktops,
and mobile phones when joining the network.
In our model, as we apply the dual stack method, there would be one DHCPv4 for IPv4
distribution and one DHCPv6 for IPv6 assignment. Therefore, there will be a server in the
“Service Provision” group to provide IPv4 for all devices in the “Client Zone” group and it will
be configured as in Appendix2. For the IPv6, although IPv6 resource is very large, we will apply
the IPv6 unicast site-local address for the local clients to ensure security and better
management. However, due to the limitation of the simulator program, the edge router will
act as the DHCPv6 for the distribution of IPv6 to client devices.
ii. Open Shortest Path First (OSPF)
There are different distinct networks within a large system such as network for servers,
network for clients, and network for security. As a result, a routing protocol is required to
connect these networks together so that a user from client network can communicate with
servers to get access to private information. Among many routing protocols, we choose the
OSPF, which known as a routing protocol for IP that operates mainly as a link-state protocol
and it is very suitable for large enterprise networks because of its capability and
interoperability. As in the enterprise network model, according to the dual stack transition,
we would create and maintain two routing tables for IPv4 and IPv6
iii. Border Gateway Protocol (BGP)
In order to build our model, we need to set up the Internet to enable the communications
between the headquarters and branches. Therefore, we apply the BGP routing protocol,
which is mainly used for core routers among autonomous system around the world. Most
ISPs use this protocol to communicate with each other.
iv. Virtual Private Network (VPN)
VPN is a private network that is used by nearly almost every large company to make it
convenient for mobile employees but still ensure data safety via the Internet.
v. Security Establishment
The most important matter in large networks is security, especially with the new IPv6
implementation. The security is achieved during the implementation process in the
infrastructure to protect the system safe when using both IPv4 and IPv6. These acts can
include setting usernames and passwords, applying network policies, encrypting data when
sent and received, creating access list for better control and management.
vi. Enterprise Network Topology Design

Figure 7: Enterprise Network Topology

Configuration of Dual Stack
Before configuring an IPv4/IPv6 dual stack, configure link layer protocol parameters for
interfaces to ensure that the link layer protocol status on the interfaces is Up.
1. Enabling IPv6 Packet Forwarding
To enable an interface to forward IPv6 packets, enable IPv6 packet forwarding in the system
view and in the interface view.

Procedure
1. Run system-view
The system view is displayed.
2. Run ipv6
IPv6 packet forwarding is enabled.
By default, IPv6 packet forwarding is disabled on the device.
To enable a device to forward IPv6 packets, enable IPv6 packet forwarding in the system
view; otherwise, the device fails to forward IPv6 packets even if an IPv6 address is
configured for an interface on the device.
3. Run interface interface-type interface-number
The view of the interface to be enabled with IPv6 is displayed.
4. Run ipv6 enable
The IPv6 function is enabled on the interface.
Before performing IPv6 configurations in the interface view, enable the IPv6 function in the
interface view.
By default, the IPv6 function is disabled on an interface.
2. Configuring an IPv4 Address and an IPv6 Address for Respective Interfaces
The device to be enabled with the dual stack must be configured with an IPv4 address on the
IPv4 network-side interface and an IPv6 address on the IPv6 network-side interface.

Procedure
1. Run system-view
The system view is displayed.
2. Run interface vlanif vlan-id
The IPv4 network-side interface view is displayed.
3. Run ip address ip-address { mask | mask-length }
An IPv4 address is configured for the interface.
4. Run quit
Return to the system view.
5. Run interface vlanif vlan-id
The IPv6 network-side interface view is displayed.
 6. Run the following commands as required.
 Run ipv6 address auto link-local
The interface is configured to automatically generate a link-local address.
 Run ipv6 address ipv6-address link-local
A link-local IPv6 address is manually configured for the interface.
 Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
A global unicast IPv6 address is configured for the interface.
 Run ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length } eui-64
An IPv6 address in EUI-64 format is configured for the interface.
3. Verifying the IPv4/IPv6 Dual Protocol Stack Configuration

Procedure
Run the display ipv6 interface [ interface-type interface-number | brief ] command to check
IPv6 attributes of an interface.

Conclusion
The first objective was to understand current IPv6 transition methods based on knowledge
about IP in general as well as IPv4 and IPv6. The authors learned that global IPv4 free pool
was completely exhausted now; the transition to IPv6 would be a must for near future. There
are three transition methods that were most applied i.e. dual stack, translation and tunneling.
Each of them has its own advantages and disadvantages. The second objective was to analyze
real life experiences of enterprises that had deployed IPv6.
On the other hand, some enterprises were not interested in IPv6 transition for the
following reasons: - Business is still going on well, Training costs, No instant advantages, No
solution from service providers, No backward compatibilities
For those above reasons, dual stack seems to be the best method. It is flexible because it
utilizes both IPv4 and IPv6 at the same time on routers and easy to handle. Translation
method makes the network vulnerable, as the whole networks will collapse if something bad
happens to the routers in the transition process. So, in our proposed methodology we provide
3 methods to prevent the network from vulnerability.