TMCnet News
IPv6 deployment starts at network edge [Network World](Network World Via Acquire Media NewsEdge) CLEAR CHOICE TEST: IPV6-ENABLED APPLICATION DELIVERY CONTROLLERS 6 ADCs deliver IPv6 capabilities to apps hosted on IPv4 Web servers IT execs know they will have to deploy IPv6 at some point, but where to begin? One approach that establishes some IPv6 capability without spending a lot of time or money is to start at the perimeter. IPv6-enabling routers, firewalls and DNS servers should be straightforward. If an organization were to deploy an IPv6-capable server load balancer (SLB) or, using the most current term, application delivery controller (ADC), they could configure an IPv6 virtual IP (VIP) and an IPv4-only server farm. This would allow Web apps hosted on IPv4-only servers to appear to the Internet user as IPv6 applications. The way it works is mat clients would connect to the IPv6 VIP, and the ADC would perform a reverse-proxy function and terminate the IPv6 HTTP Internet connection, then create a new IPv4 HTTP back-end connection to the IPv4-only application servers. The server would not necessarily know the IP version being used by the client and it would happily return the data to the ADC appliance using IPv4. The ADC appliance takes that IPv4 response from the server, copies the HTTP application data and transmits it back to the IPv6-connected client. We tested the IPv6 capabilities of the major ADC vendors' products; AlO Networks, Brocade, Cisco, Citrix, FS and Riverbed/Zeus. We tested all of the IPv6 features that these vendors listedon theirdata sheets and determined that all of these systems are suitable for aiding in an Internet edge IPv6 deployment scenario. One piece of good news: The ADC your company already owns may have IPv6 capabilities. It could be as simple as a software upgrade and you would have an IPv6-capable reverse proxy server that could help accelerate your IPv6 Internet edge deployment. Long list off features ADCs can provide a wide variety of IPv6 capabilities. Most of the products tested had these features: * IPv4/IPv6 server load balancing (reverse proxy), IPv6 VIP with IPv4 or dual-protocol real-servers/server-farms ? SSL offload and acceleration for IPv6 VIPs and servers 1 Ability to perform content filtering, regular expression matching and URL rewriting for IPv6 connections ' IPv6-capable Web application firewall (WAF) * IPv6-enabled security features (distributed denial-of-service [DoS] protection, SYN-cookies, IPS, content filtering) * Stateful access control lists (ACL) or IPv6 packets, ICMPvó filtering, extension header filtering and denial of RHO packets 1 High availability for IPv6 connections 1 Logging of IPv6 connections 1 Ability to check the IPv6 neighbor cache entries 1 IPv6 static routing 1 There are also some nice-to-have optional features: 1 rpv6-enabled geographical server load balancing (GSLB) 1 Authoritative dual-protocol DNS server * Stateful NAT64 capabilities * DNS64 integration with NAT64 * IPv6 routing protocol support (static routing, RIPng, 0SPFv3, IS-IS [ST and MT], MP-BGP, RHI) * Management with IPv4 and IPv6 There are also IPv6 features that apply to ISPs or large-scale data center companies; * Large scale NAT (LSN), carrier grade NAT (CGN), NAT444 * 6rd (IPv6 rapid deployment) border relay * Dual-Stack Lite (DS-Lite) AFTR Many of these features have crept into ADC products over several years. Some are included as part of the base licensing, but be aware that some vendors may charge a premium for these IPv6 features. We set up a testing environment that mimickeda typical Internet edge environment We had an IPv4-only perimeter and we enabled it for IPv6. We performed testing from the perspective of an IPv6-enabled Internet user trying to establish connectivity to an IPv4-only Web server. We also tested NAT64 functionality where an IPv6-only client may be trying to reach IPv4 Internet content. We tested each of these six ADCs and found that they were all capable of basic IPv4 and IPv6 server load balancing with SSL offload. We found that the support for IPv6 management, IPv6 routing and service-provider IPv6 features varied quite widely among the vendors' solutions. We found that all of these products would be suitable in an enterprise Internet perimeter environment and would aid in the transition to IPv6. Here are the individual reviews: AlO Networks AX2500: Highly scalable, feature-rich, lacks Web app firewall AlO first started supporting IPv6 in its AX series in 2007. Since then, AlO has fully embraced IPv6. Today, AlO offers two version of its software: one (2.6.1) for IPv6 SLB and one (2.6.6) for NAT64/DNS64/DSLite/6rd and LSN, also known as CGN or NAT444 (IPv4 preservation). AlO also has a Soft AX virtual appliance for lab or production environments. We tested an AX2500 which lists for $24,995, however, AlO has appliances that range from $15,995 to $215,000 and its SoftAX virtual appliance can cost between $995 and $24,995. The great thing is that all of the AX features are included without additional license fees. The AlO Networks AX series of ADCs has many IPv6 features including IPv4/IPv6 SLB with SSL offload and GSLB over IPv6. The AX can perform syslog for IPv6 connections using aFleX TcI scripts. The AX also allows ping and management access using SSH, HTTP/HTTPS, SCP and SFTP over IPv6 transport. Unfortunately, there are no IPv6 WAF capabilities in this version, but AlO appliances can integrate with other marketleading WAFs such as Imperva. We found that the AlO does provide other security features like protocol checking for HTTP, HTTPS and DNS, distributed DoS protections, rate limiting and ACLs. Our testing determined that AlO supports staue IPv6 routes and dynamic routing protocols for IPv6. The AlO can be configured for PvIPng, OSPFv3. IS-IS and BGP. AlO's SoftAX virtual appliance can help support an organization's cloud computing and virtualization goals. The AlO AX appliances also support multi-tenancy and virtual chassis configurations. AX appliances have extensive scalability due to their 64-bit architecture and their Advanced Core Operating System (ACOS). However, scalability may not be a concern for enterprises that may initially have low IPv6 traffic volumes. The AlO Networks systems also provide service-provider features such as NAT64 and DNS64. The 2.6.6 software can be configured for NAT64 with DNS64, but there is also a documented Infoblox integration of DNS64 for AlO's NAT64 configurations. The LSN, DS-Lite, 6rd, NAT64/DNS64 scalability of these appliances makes them attractive to service providers. In fact, the AlOs compete well with more costly heavy-iron solutions from the large router vendors, Brocade Serverlron ADX delivers Brocade acquired Foundry Networks in2008 and Brocade has continued innovating its routers, switches and server load balancers. Brocade first started adding IPv6 features to the Serverlron ADX platform in Version 11.0 and has continued to add IPv6 features to this ADC. We tested a Brocade Serverlron ADX 1216-4-SSL-PREM running Version 12.3.1 and the latest software Version 12.4.00T405, which has a list price of $45,995. This system has the premium license, which includes Layer 3 routing, IPv6, GSLB and an additional license for SSL offload. Brocade very recently came out with this new software that adds to the number of available IPv6 features. One item of note is that Brocade has a "pay-as-you-grow" licensing model and licenses the ADXs based on the software features, number of processors and bandwidth you require. Therefore, to get IPv6 capability on the ADX you must purchase the premium license. The ADX supports IPv4 and IPv6 server load balancing as a reverse proxy server. VIPs can use either IPv4 or IPv6 addresses and have either IPv4 or IPv6 real servers. Brocade has completely rewritten its D? stack to accommodate and streamline IPv6. However, our testing revealed that its system only supports SSL offload for IPv4 VIPs using IPv4 real servers or IPv6 VIPs using IPv6 real servers. In software release 12.4, the ADX will be able to perform SSL offload for IPv6 VIPs using IPv4 real servers and mixed protocol server farms. We set up the ADX and configured Web management over IPv6, and we also entered IPv6 addresses into the configuration through the Web GUI. We used SSH over IPv6 transport and SNMP worked over IPv6. Syslog did not work for IPv6 syslog servers, but IPv6-related log messages can be sent to an IPv4 syslog server. The ADX also supports a wide variety of IPv6 routing protocols including OSPFv3, IS-IS (single-topology or multi-topology) and MP-BGP. The ADX offers IPv6 security features and allows you to configure complex IPv6 access-lists. The ADX now supports SYNProxy (SYN-cookies) for IPv6 traffic and setting the MSS works for IPv4 or IPv6 packets. We found that other features such as distributed DoS protection, EPS and content filtering are also IPv6-capable. However, the Brocade Serverlron does not have an D?v6capableWAF. The Serverlron ADX can act as an authoritative dual-protocol DNS server, function as a DNS proxy server and perform IPv4 and IPv6 GSLB. The Brocade ADX supports NAT64 in the same software and hardware, but it is configured in a different operating mode from traditional SLB functions. Our testing determined that you cannot have a single ADX appliance function asa NAT64 system and a server load balancer at the same time. The ADX has capabilities for IPv6-only or IPv4-only clients. The Brocade Serverlrons can perform LSN)/CGN)/NAT444, but do not currently support 6rd or DS-Lite. Cisco ACE: features are limited The Cisco Application Control Engine (ACE) has been available for many years in many forms but only a few months ago did the Cisco ACE begin to support IPv6. ACE software release AS (1.1) runs on the ACE30 module for a Cisco 6SOO switch and the ACE4710 appliance. Unfortunately, customers that have invested in ACElO or ACE20 modules will not be able to use this version and will face hardware upgrades to support IPv6. There are ACEl 0/20 to ACE30 upgrades available for $30.000. The device that we tested was the ACE-471001-K9 running software Version AS (Ll), which has a list price of $29,995. Cisco ACE modules and appliances have licensing that allows the upgrade of the performance of the units, the number oí SSL connections and number of virtual contexts. There is no additional charge for IPv6 support on the ACE. If you are familiar with configuration of Cisco devices using contexts then you will feel right at home with this system. The Cisco ACE performed server load balancing for IPv6 VIPs with IPv6 real servers and IPv6 VIPs with IPv4 real servers. We easily configured IPv6 health probes and the Layer 4/Layer 7 policies and SSL offload work for IPv6 connections. HTTP/HTTPS and DNS inspection (application awareness) work for native IPv6-IPv6 traffic. The ACE allowed us to configure IPv6 ACLs and perform packet capture of IPv6 packets. The ACE has IPv6 security features and it can filter extension headers and perform fragmentation inspection, IPv6 ICMP-guard, IPv6 normalization and IPv6 Unicast-RPF checking. The ACE can act as a DHCPv6 relay and can either send routing advertisements on its Ethernet interfaces or suppress them. In the ACE, fault tolerance is not supported over IPv6 but it can track IPv6 connectivity and use IPv6 alias addresses on its interfaces. The ACE does have somç limitations. It does not support IPv6 dynamic routing protocols, but it does have IPv6 static routing and IPv6 Route Health Injection (RHI). The ACE does not have stateful NAT64 with or without DNS64. We could not configure IPv6 transport for management protocols (SSH, Telnet, SNMP, HTTP/HTTPS) but IPv6 MIB values are available for SNMP query over IPv4 transport. We were able to perform IPv6 configuration through the Web GUI, but it is only accessible over IPv4 We could ping the ACE using ICMPv6 and could send syslog messages with IPv6 addresses in them. The ACE GSS 4492 does have IPv6 support for GSLB. However, in August 2011, Cisco announced end of sales for ite ACE WAF so it will never be IPv6-capable. Citrix NetScaler Fully featured NetScaler has supported IPv6 for more than seven years. IPv6 capabilities are available in the platinum, enterprise and standard edition feature sets and now IPv6 comes enabled by default for no additional cost. We tested using a Citrix NetScaler MPX7S00 ranning software Version 9.3-S2.3 that costs $22,000. In addition to Citrix's hardware appliances, the company offers a virtual appliance called the NetScaler VPX. It was easy to configure IPv6 addresses on interfaces and VLANs through either a command line interface (CLI) or the GUI. The NetScaler supports configuring IPv6 VIPs with IPv6 or IPv4 services. SSL offload worked for IPv6 and health probes operate over IPv6. Content switching worked for IPv6 connections and regular expressions could be created using IPv6 addresses. URL rewriting also worked for IPv6 VIPs. We could configure IPv6 for RADIUS servers, TACACS+ servers, LDAP servers, syslog servers and DNS servers. The NetScaler can be an authoritative DNS server for IPv6 AAAA address records, which is important for the GSLB functionality. IPv6-capable DNS services help make GSLB work for IPv6 addresses. High availability could also use IPv6 addresses. We could create traffic filters that contain IPv6 addresses and IPv6 ACLs were easy to configure. We could manage the NetScaler over IPv6 transport and there are EPv6-specific MIBs/OIDs for the NetScaler that we could query over IPv6 SNMP. We were also able to create custom logformats using IPv6 source/destination addresses and v-server address. The built-in Web application firewall helps secure IPv4 and IPv6 services from attacks. Policies can be created and applied to IPv6 applications just as easily as for IPv4 applications. The NetScaler software allows for the configuration of static IPv6 routes, and we also configured OSPFvS and RIPng in the IP Infusion ZebOS Cisco-like interface. The NetScalers have IPv6 NAT, inbound network address translation (INAT) and prefix-translation capabilities. The NetScalers also support NAT64 and DNS64. The Citrix NetScaler also has IPv6 SSL VPN "Access Gateway" services. F5 Big-IP: Easy to customize FS has supported IPv6 in its BIG-IP ADC products for several years. The device we tested was the BIG-IP 3900 Local Traffic Manager Enterprise Edition, which has a list price of $52,995. This unit also includes the Global Traffic Manager module, for an additional $23.990. We tested using BIG-IP software Version 11.1.0 Build 1943.0. The F5 hardware architecture combines x86_64 processors and FPGAs/network processors to provide performance and flexibility. It was relatively easy to configure the unit with IPv6 addresses for self IPs. It was easy to use the GUI to configure IPv6 VIPs for IPv4 or IPv6 application servers. FS supports IPv6 static and dynamic routing through the IP Infusion ZebOS configuration CLI, although we had difficulties getting router adjacencies configured. The BIP-IP supports route domains (like virtual routers) and administrative partitions (multi-tenancy) and virtual clustered multiprocessing (vCMP) (running different software versions simultaneously on their chassis hardware). The documentation mentioned that you must configure radvd for IPv6 support. However, we found that you do not need to configure radvd unless you need the BIG-IP to act like a default gateway router. In other words, if you want computers that are directly connected to the FS to hear the router advertisement ICMPv6 messages from the F5, then you must configure radvd through CLI . We configured the Web management interface to use over either IPv4 or D?v6, but it cannot do both simultaneously. The self IPs were reachable using IPv6 and SSH, and the F5 did allow for remote management of the system using IPv6 using SNMP vl/v2c/v3. One of the powerful features of FS LTMs is the iRules event-drive scripting language that allows the administrator to customize how application traffic is handled. iRules can be configured for matching on IPv6 addresses. Thelatestversion, 11.1, now hasIPvó support for the Application Security Manager (WAF). This operating mode on the BIG-IP hardware should provide HTTP protocol inspection to protect IPv6 Web applications, however, we were not able to get this configured. FS also sells a virtual appliance called the BIG-IP Local Traffic Manager (LTM) Virtual Edition (VE), which can be an IPv6 load balancinggateway with NAT64/DNS64 support. Riverbed Stingray Traffic Manager. Easy to set up Zeus Technology, which has been in business since 1995. released a virtual ADC appliance in 2004 and added IPv6 support to Zeus Traffic Manager in 2006. Last year Riverbed acquired Zeus, and now the virtual ADC system is called the Stingray Traffic Manager. Stingray Traffic Manager Version Ô.0 was released on Oct. 25, with Version 4.1 of the Stingray Application Firewall now built into the Traffic Manager software distribution. Pricing for the Riverbed Stingray Traffic Manager 8.0 starts at $5,500 and goes up to $63,000 for the 4000VH. The Stingray Traffic Manager was very easy to set up as a virtual machine (VM). Nothing needed to be configured on the CLI of the virtual appliance. The only time we used the CLI was to gracefully shut down the system. All other administrative tasks were performed with a Web browser to connect to the management interface IP address. Configuration was very simple and in just a few clicks we had IPv4-to-IPv4, IPv6-to-IPv6 or IPv6-to-IPv4 load balancing configured. The interface is intuitive enough that you may even be able to resist the urge to read the manual and still configure it successfully. It was trivially easy to configure IPv4 and IPv6 front -end and back-end servers and services and IPv6-enabled SSL offload. Anywhere we could configure an IPv4 address we could configure an IPv6 address instead. We found that if we configured a full qualified domain name (FQDN), then it performed an IPv4 DNS lookup first, but if that fails then it used the IPv6 address returned by DNS. The Stingray Traffic Manager does not support stateful NAT64 but it does function as a proxy for IPv4 and IPv6 connections. Stingray Traffic Manager Version 8.0 does not support IP transparency for IPv6 back ends or clients. The Stingray supports TrafficScripts, which can be used for advanced traffic handling or for preventing distributed DoS attacks. We even successfully tested the Stingray Traffic Manager ZeusBench, which is a built-in IPv4/EPv6 traffic/server testing system. Information exchanged between traffic managers or clusters is done over IPv4 and heartbeat messages use only IPv4 packets. The Stingray Application Firewall, the Application Firewall Module (AFM), does not support IPv6. Also the GSLB Multi-Site Manager (MSM) lacks IPv6 capabilities. The Zeus Traffic Manager cannot run a dynamic routing protocol like 0SPFv3, but this is in development and should be available soon. Conclusions The transition to IPv6 is already underway. Much of your IPv6 Internet-perimeter infrastructure is already IPv6 capable. Regional Internet registries have IPv6 addresses to give you, and your ISP may already have IPv6 Internet connectivity ready for you. Use of an IPv6-capable reverse proxy server could help accelerate your IPv6 Internet edge deployment. If you already own one of these systems, you have very little capital expenditure to get your organization's Web applications to be reachable with IPv6. If you own an ADC that does not have IPv6 capabilities then it would be worth speaking to your vendor. However, if your vendor has not put IPv6 on its product development road map, then you are likely to be purchasing a new system to gain this functionality. Any of the six products in this test will fit the bill. * *Read how IPv6 dual-stack strategy starts at the perimeter. tinyuri.com/7oapjniy How to shop for application delivery controllers The difference among application delivery controllers is the way they can be integrated into your organization's network topology. Most organizations may deploy a server load balancer/ADC in-line as a Layer-3 reverse-proxy-server. This configuration requires public/global addresses on the external interface and private addresses on the Internal interface. On the back end, IPv4 servers use RFC1918 IPv4 addresses, but with IPv6 It is not necessary to use private unique local addresses for the internal networks. ADCs that operate this way are fully stateful and perform TCP normalization and traffic inspection, which benefits security. . Other products may operate virtually in-line as a proxy server, but not be directly in the traffic path. These solutions may require the use of source-NAT or Policy-Based Routing, or act as the server's default gateway to force the traffic through the ADC. These products can allow Direct Server Return and may lack stateful awareness of the connections. Other systems may operate at Layer 2 and create a bridge between two virtual LANs or subnets. These products may use a bridged virtual interface or proxy and/or source-NAT to get the traffic to go through the appliance. There are also more products being offered as a virtual appliance at the hypervisor layer. The server VMs use the virtual appliance as their proxy-server or default gateway. Many organizations prefer virtual appliance solutions because they are easy to test and can be deployed quickly. Another feature that is important is URL rewriting. If the external FQDN for the IPv6 website is different than the IPv4 internal Web application's embedded links, then those links will need to be rewritten to the IPv6-FQDN. This feature will ensure that the site does not automatically fall back to the IPv4-embedded links and keeps the client believing that the entire site Is reachable over IPv6. - Scott Hogg Hogg, is director of Technology Solutions at GTRI, chair of the Rocky Mountain IPv6 Task Force, and author of a Cisco Press book on IPv6 security. He can be reached at scott® hoggnet.com. (c) 2012 Network World Inc. |