IPv6: Should I have private addresses?
Posted
by
AlReece45
on Server Fault
See other posts from Server Fault
or by AlReece45
Published on 2011-01-13T14:20:03Z
Indexed on
2011/01/13
14:55 UTC
Read the original article
Hit count: 256
Right now, we have a rack of servers. Every server right now has at least 2 IP addresses, one for the public interface, another for the private. The servers that have SSL websites on them have more IP addresses. We also have virtual servers, that are configured similarly.
Private Network
The private range is currently just used for backups and monitoring. Its a gigabit port, the interface usage does not usually get very high. There are other technologies we're considering using that would use this port:
- iSCSI (implementations usually recommends dedicating an interface to it, which would be yet another IP network),
- VPN to get access to the private range (something I'd rather avoid)
- dedicated database servers
- LDAP
- centralized configuration (like puppet)
- centralized logging
We don't have any private addresses in our DNS records (only public addresses). For our servers to utilize the correct IP address for the right interface (and not hard code the IP address) probably requires setting up a private DNS server (So now we add 2 different dns entries to 2 different systems).
Public Network
Our public range has a variety of services include web, email, and ftp. There is a hardware firewall between our network and the "public" network. We have (relatively secure) method to instruct the firewall to open and close administrative access (web interfaces, ssh, etc) for our current IP address. With either solution discussed, the host-based firewalls will be configured as well.
The public network currently runs at a dedicated 20Mbps link. There are a couple of legacy servers with fast-ethernet ports, but they are scheduled for decommissioning. All of the other production boxes have at least 2 Gigabit Ethernet ports. The more traffic-heavy servers have 4-6 available (none is using more than the 2 Gigabit ports right now).
IPv6
I want to get an IPv6 prefix from our ISP. So at least every "server" has at least one IPv6 interface. We'll still need to keep the IPv4 addressees up and available for legacy clients (web servers and email at the very least).
We have two IP networks right now. Adding the public IPv6 address would make it three.
Just use IPv6?
I'm thinking about just dumping the private IPv4 range and using the IPv6 range as the primary means of all communications. If an interface starts reaching its capacity, utilize the newly free interfaces to create a trunk.
It has the advantage that if either the public or private traffic needs to exceed 1Gbps. The traffic for each interface is already analyzed on a regular basis to predict future bandwidth use. In the rare instances where bandwidth unexpected peaks: utilize QoS to ensure traffic (like our limited SSH access) is prioritized correctly so the problem can be corrected (if possible, our WAN is the bottleneck right now).
It also has the advantage of not needing to make an entry for every private address. We may have private DNS (or just LDAP), but it'll be much more limited in scope with less entries to duplicate.
Summary
I'm trying to make this network as "simple" as possible. At the same time, I want to make sure its reliable, upgradeable, scalable, and (eventually) redundant. Having one IPv6 network, and a legacy IPv4 network seems to be the best solution to me.
Regarding using assigned IPv6 addresses for both networks, sharing the available bandwidth on one (more trunked if needed):
- Are there any technical disadvantages (limitations, buffers, scalability)?
- Are there any other security considerations (asides from firewalls mentioned above) to consider?
- Are there regulations or other security requirements (like PCI-DSS) that this doesn't meet?
- Is there typical software for setting up a Linux network that doesn't have IPv6 support yet? (logging, ldap, puppet)
- Some other thing I didn't consider?
© Server Fault or respective owner