With IPv6 on the horizon we thought it best to start preparing for this. Since most of our network vendors don’t fully support IPV6 we are starting internally. I am going to give you a quick rundown of what we had to do that was “extra” to get IPv6 to play with Active Directory (AD) and give you a cut down version of all stuff surrounding it.
Very quick synopsis of IPv6
The IPV6 address space is huge. The long term intent is to have enough IP addresses to assign a public address for every single device, plug, outlet, fridge, stove, smart phone, headset, VOIP phone, ice maker, dog collar, door, window, car and child, among others. With IPV4 we would typically assign every computer in our network a private address in a range like (192.168.1.1- 192.168.1.254). The router or firewall would then translate the internal addresses to an external addresses as required. This process is called Network Address Translation or NAT. With IPV6 this process called NAT will be a thing of the past. As far as I know NAT doesn’t even work with IPV6. You may question the security of this but don’t forget the data still must flow through a router or firewall that will have rules in place to protect the traffic. Also we wouldn’t publish every machine in a public DNS so good luck guessing the address anyway.
How huge is huge?
IPV4 has a shade over 4 billion unique addresses. IPV6 has over 340 undecillion addresses. That is so many that even the word undecillion is listed as a misspelled word in Microsoft Word 2010. What does that look like? 340,000,000,000,000,000,000,000,000,000,000,000,000. Yep, so it’s huge. Finally no more lost golf balls, as every golf ball will be able to have a routable IP address and a GPS tracker built in.
What does it look like?
This is an example of a Unique Local Address or ULA. These are supposed to be randomly generated using a Time and a MAC address in the calculation to aid in them having a high likelihood of uniqueness. In other words it is possible that these could cause conflicts if you choose one that someone else has. For example if you choose the same IPv6 ULA subnet as a company you merge with and then setup Site to Site tunnels you may have conflicts. I know - way too much information. Let’s keep going.
What types of IP addresses are there if there is no more NAT and Private IP’s?
This is in my eyes is still evolving and I think it will continue to evolve as we get closer to actually using IPv6 in broader terms. However three important types will be around for the long term.
Global addresses – Publicly routable on the internet similar to the addresses you would assign to your external webservers etc…
Link Local addresses – This is a randomly generated address using a variety of calculations similar to that 169.254.x.x address you get when your DHCP server is broken. You can actually just enable IPv6 on your computers on your LAN and connect to them.
ULA - This is the new equivalent of Private IP addresses. They are classified as not likely to be duplicated, and are not likely to be routed onto the internet. They all use the same prefix so it’s easy for sys admins to block these packets from escaping into the wild. They all begin with fd00: There is an algorithm as described by RFC 4193 that will give yourself an address that has a high likelihood of not being duplicated.
So now that we all know everything there is to know about IPv6 lets figure out what we have to do to get IPv6 up and running. There are a number of ways you can do this. What I will describe is what we are doing at The Code Project in order to work towards testing and deploying our website’s and services with IPv6.
The basic steps
- Calculate your an IPv6 subnet. A class 16 is sufficiently large enough for most situations. It has 65534 addresses.
- Give your first DC a Static IP in the above range. You will need to set the IPv6 Address, Prefix, Gateway and DNS (at least for now in Windows 2008 R2) Just make up the gateway or don’t assign one as chances are your gateway doesn’t support it yet anyway.
- Once this is done you can install the Active Direct Domain Services Role
- Install DNS and setup zones for both IPv4 and IPv6, It’s really no different between the two but you need to do it twice for both.
- Setup DHCP to assign addresses from your range above for both IPv6 and IPv4
- Join your computers assign what machines you want to be static, leave the rest as DHCP and Bob’s your uncle.
That’s about it: nothing really too complicated. Since your router or firewall is not likely to even support IPV6 fully you are pretty much done. You will notice in DNS that you now have a host A record and a Host AAAA IPv6 record.
You can turn off IPv4 on your locally connected computers and they will be able to connect as they did before but of course unless you have IPv6 from your ISP you won’t be able to get out onto the internet.
What have we done at The Code Project?
We have rebuilt our domain controllers with IPv6 ULA Addresses at our head office. We will be starting to enable all of our machines with IPv6 over the next few weeks and then start testing our code to make sure we can provide an IPv6 version when it becomes possible.