IPv6 service definition
The IPv6 service provided by IT-CS will match the IPv4 service in any term: not only the network connectivity will support the new protocol, but also the complete sets of provisioning and monitoring tools.
IPv4 and IPv6 will share the same Ethernet infrastructure and will be implemented in a dual-stack modality. CERN will not implement any IPv4-IPv6 address translation, to avoid some yet unresolved issues and to not have to use powerful address translator.
IPv6 will be provided only by network devices capable of processing this protocol in hardware, so to give the same level of performance as IPv4.
CERN prefixes
CERN has been assigned the public prefix 2001:1458::/32
CERN will use the local prefix FD01:1458::/32 [RFC4193] for hosts which don't need Internet access.
Subnet addresses
Every physical subnet will get at least one IPv6 prefix, public and/or local. The size of the IPv6 subnets used at CERN will always be /64, leaving 64 bits for the host addresses.
Device addresses
Every IPv4 address registered in LANDB will have assigned one IPv6 address with equivalent functionalities. This IPv6 address will inherit all rights and restrictions as the originating IPv4 one.
IPv6 addresses will be assigned by the DHCPv6 service provided by IT-CS, based on the MAC address of the device declared by the owner of the device. In order to keep the system manageable, IPv6 autoconfiguration will be disabled and rogue Router Advertisement messages filtered. Autoconfigured IPv6 addresses (EUI-64) will be blocked at the Central Firewall and at any filtering point.
Address Profile
Bits 89 to 104 of every IPv6 host address will be used to code the Profile of the address. Profiles may be used in different ways, to trigger different behaviors in specific parts of the network. For example, a given Profile may be filtered at the Central Firewall.
Connectivity
IT-CS will provide users with both IPv4 and IPv6 connectivity over the same physical media. The choice of the protocol to be used is left to the client device/application: it must be able to understand what protocol is the destination address and uses the same protocol family as source. Inter protocol communication (IPv4/IPv6 address translation) won't be provided by the CERN network.
Campus Network (GPN)
IPv6 will be provided to all the devices connected to the Campus Network, included devices connected via WIFI. Every physical subnet will be assigned one public and one local IPv6 prefix. Local IPv6 addresses can be used for VOIP phones, printers, ILMI interfaces and any other device which doesn't need Internet access.
LCG Network
The LCG network will have a setup similar to the GPN. The LCG may take special advantage of the large address space made available to every subnet in case Server Virtualization will be widely adopted.
Technical Network (TN)
The Technical Network will also get IPv6 connectivity but only with local connectivity (i.e. no Internet).
Experiments
Each Experiment will be assigned one private /44 prefix which IT-CS will route within the CERN networks. Public /44 prefixes will also be allocated, in case of future needs. Similarly to IPv4, Experiments will be free to use their own tools and services or rely on the ones provided by IT-CS.
Central Firewall
For IPv6, the Central Firewall will implement the same policies as for IPv4. The IPv6 configuration of the Central Firewall will be managed by the same tools which today manage the IPv4 part.
At the time of writing, IPv6 Policy Base Routing (PBR) is not implemented by any router vendor. PBR is the functionality used to offload the high speed data transfer from the Statefull Inspection Engine of the Central Firewall (aka HTAR). Thus HTAR won't be available in the first phase of the implementation, until the feature will be available. During this phase, it is foreseen to use a Statefull Inspection engine dedicated to the IPv6 traffic.
External Network
The CERN External network is already natively connected to the whole IPv6 world (i.e. without IPv6-over-IPv4 tunnels).
Mobile Network
The GSM mobile IP network is provided by the Telecom Operator of choice (Sunrise at the time of writing). Thus the Internet GSM service and the GSM VPN service will have to follow the IPv6 plan of the Operator.
Network services
DNS, DHCPv6, Radius and NTP will be available over the IPv6 network.
The existing IPv4 DNS, Radius and NTP servers will be modified so to provide their services also over IPv6. The DHCPv6 service will be configured in the current DHCP IPv4 servers.
DNS
DNS servers will be given dual stack connectivity and the DNS demon (ISC Bind) will listen on both the IP protocols. The servers will resolves names into IPv4 and IPv6 addresses (A and AAAA records) and they will support the inverse resolution of the zones 8.5.4.1.1.0.0.2.ip6.arpa and 8.5.4.1.1.0.D.F.ip6.arpa (the latter only in the internal DNS view).
The clients will be free to make DNS queries over IPv4 or IPv6; the replies provided will be the same (both A and AAAA records, if they exist for the same name). The decision on which record to use is up to the client (normally the IPv6 address is preferred).
DHCPv6
DHCPv6 servers will provide clients with the correct IPv6 information to use: IPv6 address and netmask, IPv6 default gateway, IPv6 DNS servers. DHCPv6 is independent from the IPv4 version: the demon is IPv6 only and a specific DHCPv6 client has to be started by the clients in order to exploit this service. The DHCPv6 server will be simailar to the SHCP service: only registered MAC addresses will receive an IPv6 assignment; the assigned IPv6 address will always be the same.
Radius and NTP
Radius and NTP servers will be given dual stack connectivity and will listen on both protocols. The content of the replies is independent of the protocol used.