Department of Defense
High Performance Computing Modernization Program

Introduction

This article focuses on policies and practices recommended for use by network administrators and managers. The focus of this article differs from the focus of the Best Practices article in the Security section. That article focuses on tools and techniques that can be used to detect, prevent, or monitor attempts to use networks in unauthorized ways.

When changing the management infrastructure of a network that currently supports Internet Protocol version 4 (IPv4)-only to either dual-stack (IPv4 and IPv6 are both supported) or IPv6-only, there are no easy or quick solutions. Network management and network security in both environments have been the subject of numerous Internet Engineering Task Force (IETF) Request For Comments (RFC) documents, including:

  • RFC 4057 IPv6 Enterprise Network Scenarios,
  • RFC 4942 IPv6 Transition/Coexistence Security Considerations,
  • IETF draft document Operational Security Considerations for IPv6 Networks (which complements RFC 4942),
  • RFC 6418 Multiple Interfaces and Provisioning Domains Problem Statement
  • RFC 7381 Enterprise IPv6 Deployment Guidelines, 
  • RFC 7556 Multiple Provisioning Domain Architecture
  • RFC 8043 Source-Address-Dependent Routing and Source Address Selection for IPv6 Hosts
  • IETF draft document Monitoring Dual Stack/IPv6-only Networks and Services,
  • IETF draft document Recommendations on the Filtering of IPv6 Extension Headers and
  • RFC 8801 Discovering Provisioning Domain Names and Data.

For more in-depth information, several books on network management are listed in part 3 of the IPv6 Training and Learning Information file in the IPv6 Training and Learning article under the Deployment section.

Perspective on network management in 2007

These observations in RFC 4942 by the IETF Network Working Group for IPv6 network management are valid for dual-stack network management as well as for network security:

It is important to understand that deployments are unlikely to be replacing IPv4 with IPv6 (in the short term), but rather will be adding IPv6 to be operated in parallel with IPv4 over a considerable period, so that security issues with transition mechanisms and dual stack networks will be of ongoing concern. This extended transition and coexistence period stems primarily from the scale of the current IPv4 network. It is unreasonable to expect that the many millions of IPv4 nodes will be converted overnight. It is more likely that it will take two or three capital equipment replacement cycles (between nine and 15 years) for IPv6 capabilities to spread through the network, and many services will remain available over IPv4 only for a significant period whilst others will be offered either just on IPv6 or on both protocols.

Perspective on network management in 2012

These recommendations were provided by the Planning Guide/Roadmap Toward IPv6 Adoption within the US Government, July, 2012 memorandum. While the policies contained in that memorandum are no longer in effect (the memorandum was rescinded Aug, 2018 by Office of Management and Budget (OMB) Memorandum M-18-23 Shifting From Low-Value to High-Value Work), its recommendations remain valid.

IPv4-based network management systems (NMS) and fault tracing tools must undergo significant change to properly manage IPv6 networks. These would include both equipment and component managers as well as managers of managers (MoM) systems.

Replacing a non-conforming NMS is much more difficult than replacing other hardware or software as it tightly integrates with device software and hardware ports. Testing of all types and configuration of devices should be completed prior to system cutover and turn-up.

Perspective on network management in 2016

After a network has transitioned from IPv4-only to dual-stack or IPv6-only, a new type of challenge will arise for network administrators and managers: transitioning from an existing set of IPv6 addresses on the network to a new set of IPv6 addresses. This article on The Headache of IPv6 Readdressing discusses the challenges of such a transition.

Perspective on network management in 2020

This statement is from a March 2020 draft policy memorandum (available here) from the Office of the Federal Chief Information Officer.

The intent of this updated memorandum is to communicate the requirements for completing the operational deployment of IPv6 across all Federal information systems and services, and help agencies overcome barriers that prevent them from migrating to IPv6-only systems. … As soon as possible, complete the upgrade of public/external facing servers and services (e.g. web, email, DNS, ISP services, etc.) and internal client applications that communicate with public Internet services and supporting enterprise networks to operationally use native IPv6.

Network Management Resources

Specific examples, general recommendations, and product information about network management for those deploying IPv6 in an existing IPv4-only network or transitioning to an IPv6-only network are provided by the following articles, reports, papers, seminars, tutorials, and presentations:

  1. This comprehensive IPv6 Network Management tutorial presented at the Asia Pacific Regional Internet Conference on Operational Technologies (APRICOT) covers both the concepts and practices of network management and network monitoring for IPv6 networks. It includes extensive examples of specific software use and reference bibliographies.
  2. This IPv6 Network Management Cookbook prepared by the European 6NET project and this later IPv6 Network Management overview presented by the European 6Deploy project cover concepts and practices of network management, plus some tools developed by the 6NET project. (The European 6NET project completed Jun 2005, followed by the 6DISS project which completed Sept 2007; followed by 6DEPLOY and 6DEPLOY-2 (www.6deploy.eu) which completed Feb 2013. A more recent European IPv6 project was Governments Enabled with IPv6 (GEN6) which completed May 2015. Deliverables and Presentations under the Publications tab of the GEN6 website provide additional material. The current European IPv6 project is IPv6 Framework for European Governments.)
  3. This article describes how to use Software-Defined Networking (SDN) to increase the security of Stateless Address Autoconfiguration (SLAAC) and Neighbor Discovery Protocol (NDP) interactions among computers on a Local Area Network.
  4. Some IPv6-specific network management techniques and tools are described in this Are you neglecting IPv6 network management? article.
  5. This Mutually Agreed Norms for Routing Security (MANRS) Initiative for wide-area network operators and this Best Current Operational Practices (BCOP) Implementation Guide for stub networks and small providers.
  6. This BCOP on Minimum Security Requirements for Customer Premises Equipment (CPE) Acquisition document provides guidelines when recommending CPE to end-users.
  7. An extensive list of Network Monitoring Tools (over 500 listings) is maintained by the Stanford Linear Accelerator Center (SLAC) National Accelerator Laboratory. Not all these tools specifically state support for IPv6.
  8. Using the framework of the International Standards Organization (ISO) Fault, Configuration, Accounting, Performance, Security (FCAPS) model for network management, this NetworkWorld article informally discusses software for IPv6 network management.
  9. This Cisco Systems, Inc. white paper offers recommendations for non-IP specific network management, while this white paper offers recommendations for enabling network management via IPv6 transport on an infrastructure that was previously IPv4-only.
  10. This Federal IPv6 Techtorial presentation hosted by BrightTALK provides a snapshot of network management products and best practices as of May, 2012.
  11. This IPv6 Deployment In Local Area Networks by Samenwerkende Universitaire Reken Faciliteiten Network (SURFNet), April, 2011, provides IPv6 configuration management guidance from the network level down to the individual device level.
  12. This Wikipedia article lists and compares the features of many NMS.
  13. In 2002, the then European 6NET project published this IPv6 Network Management Cookbook. Its recommendations are still valid for any IPv6 network management infrastructure. (See item 2 above for a summary of subsequent European IPv6 deployment project evolution.)

Top