gogo6 IPv6 Video Series. Event, presentation and speaker details below:
EVENT
gogoNET LIVE! 3: Enterprise wide Migration. http://gogonetlive.com
November 12 – 14, 2012 at San Jose State University, California
Agenda: http://gogonetlive.com/4105/gogonetlive3-agenda.asp
PRESENTATION
Reverse Proxies as Enterprise IPv6 Entry Points
Abstract: http://www.gogo6.com/profiles/blogs/my-presentation-at-gogonet-live-3?xg_source=activity
Presentation video: http://www.gogo6.com/video/reverse-proxies-as-enterprise-ipv6-entry-points-by-patrick-chang
Interview video: http://www.gogo6.com/video/interview-with-patrick-chang-at-gogonet-live-3-ipv6-conference
SPEAKER
Patrick Chang - Senior Regional Architect, F5
Bio/Profile: http://www.gogo6.com/profile/PatrickChang
MORE
Learn more about IPv6 on the gogoNET social network
http://www.gogo6.com
Get free IPv6 connectivity with Freenet6
http://www.gogo6.com/Freenet6
Subscribe to the gogo6 IPv6 Channel on YouTube
http://www.youtube.com/subscription_center?add_user=gogo6videos
Follow gogo6 on Twitter
http://twitter.com/gogo6inc
Like gogo6 on Facebook
http://www.facebook.com/pages/IPv6-products-community-and-services-gogo6/161626696777
More than Just Lines on a Map: Best Practices for U.S Bike Routes
Reverse Proxies as Enterprise IPv6 Entry Points by Patrick Chang at gogoNET LIVE! 3 IPv6 Conference
1. 1
Implementing IPv6 Services with a
Reverse Proxy
Presented by: Patrick Chang
November 2012
APPLE RUNS BETTER WITH F5
2. 2
Existing IPv4 Service
IPv4 Proxy
Load Balancer
IPv4 DB Servers
IPv4 Clients IPv4 App
Servers
3. 3
IPv4 Data Flow
! Load balancer is a reverse proxy
– Presents external facing IPv4 Service
– Connects to internal IPv4 resources
! Incoming traffic
– Target is IPv4 address on reverse proxy
– Reverse proxy terminates connection
– Reverse proxy opens new connection to back end IPv4 resources
! Return traffic
– Server responses go back to reverse proxy
– Reverse proxy manipulates IP headers of response
– Reverse proxy sends response back to IPv4 clients
5. 5
IPv6 Data Flow
! Load balancer is a reverse proxy
– Presents external facing IPv6 Service
– Connects to existing internal IPv4 resources
– Capable of connecting to new internal IPv6 resources
! Incoming traffic
– Target is IPv6 address on reverse proxy
– Reverse proxy terminates connection
– Reverse proxy opens new connection to existing IPv4 resources
! Return traffic
– Server responses go back to reverse proxy
– Reverse proxy manipulates IP headers of response
– Reverse proxy sends response back to IPv6 clients
6. 6
Single and Dual Stack
! Separate IPv6 FQDN (Single Stack)
– IPv4 FQDN -> A query = IP, AAAA record = NXDomain
– IPv6 FQDN -> A query = NXDomain, AAAA record = IP
! Same IPv6 and IPv4 FQDN (Dual Stack)
– A query = IPv4 address
– AAAA Query = IPv6 address
! Recent OSs send AAAA query, then A query
– Client on IPv6 only -> IPv6 response = it works
– Client on IPv4 and IPv6 -> IPv6 response = it works
– Client on IPv4 only -> IPv6 response = broken
! Possible Fixes
– LDNS Whitelist
– AAAA from IPv4 LDNS = NXDomain
8. 8
OSI Implications
! IP (v4 and v6) = Network Layer
! TCP, UDP = Transport Layer
– 4 > 3
– Unaffected by IPv6
! SSL = Presentation Layer
– 6 > 3
– Unaffected by IPv6
! Compression = Presentation Layer
– 6 > 3
– Unaffected by IPv6
9. 9
Application Layer
! HTTP, SMTP, Client – Server = Application Layer
– 7 > 3
– Unaffected by IPv6????
! IPv6 client -> IPv4 service
– Reverse proxy must open connection to IPv4 service from IPv4
address
– Does application require real client IP?
! HTTP over IPv6 -> IPv4 service
– X-Forwarded-For
• Web server configuration logs X-Forwarded-For
• Can log analyzer parse IPv6 addresses?
10. 10
Possible Workarounds
! Change application
– Custom IP stack in reverse proxy
– 4X IPinIP encapsulation
– Mapped source IP
– Router with static routes
– Custom IP stack in app servers
– 4X IPinIP unencapsulation
! Log separately
– Reverse proxy inserts custom request ID
– Reverse proxy logs IPv6 and custom request ID
– Reverse proxy opens IPv4 connection from “magic” IP
– Application logs “magic” IP and custom request ID
– Log analyzer maps real IP via custom request ID
! Upgrade log analysis system